Security in information technology is more critical today than it ever has been. Breaches are unfortunately all too common. As an APEX developer, securing your applications falls squarely on your shoulders. However, often times security becomes an afterthought; if it gets addressed at all. For this reason, we developed eSERT. eSERT is an APEX application that quickly evaluates your APEX applications for common security vulnerabilities and provides step-by-step instructions on how to mitigate them. eSERT is not just an evaluation tool, but it’s also designed to be used by your developers during your development process, as it has complete integration with the APEX development environment. Whether you have a single APEX application or hundreds of them, eSERT can help ensure you that they are as secure as they can possibly be.

1. Enkitec eSERT v2
Scott Spendolini
Executive Director, Enkitec
1

2. WELCOME
2

3. About Enkitec
 Oracle Platinum Partner
 Established in 2004
 Headquartered in Dallas, TX
 Locations throughout the US & EMEA
 Specialties include
 Exadata Implementations
 Development Services
 PL/SQL / Java / APEX
 DBA/Data Warehouse/RAC
 Business Intelligence
3

4. Sumneva Acquisition
 On June 22nd, 2012, Enkitec acquired Sumneva
 sumnevaSERT now called eSERT
 sumnevaFramework now called eFramework
 Enkitec is as committed as ever to APEX products,
services & training
 eSERT v2
 eSERT Cloud
 At least two more products for APEX developers in CY2012
4

5. Agenda
 Overview
 eSERT 2.0
 eSERT Cloud
 Summary
5

6. OVERVIEW
6

7. Insecurities
 We live in a time where the security of data is
the most emphasized yet least practiced thing
 It is almost impossible to keep up with how many
sites have been compromised anymore
 Unfortunately, adding security to our
applications is almost always
event driven or reactive
7

8. Customer Demand
 Despite this, we’re all tasked with quickly
developing applications for our customers/
clients
 Often times, we take
shortcuts and leave
out things, like security
 Not because we want to,
because we have to
8

9. Excuses, Excuses...
 We make many, many excuses to ourselves as to
why we didn’t adequately secure our
applications:
 Not enough time
 No one cares about the
data/application
 It’s “internal only”
 Our users are not smart
enough to do anything
malicious
 False sense of security
9

10. Recipe for Disaster
 Given:
 The stresses of getting our applications released quickly
 The lack of time we have to do so
 Our applications - APEX & otherwise - are likely
to have potential security vulnerabilities that
we could easily fix
 If we only knew what they were and had the time...
10

11. ESERT 2.0
11

12. eSERT 2.0
 eSERT:
Security Evaluation & Recommendation Tool
 APEX application designed to evaluate and identify
potential security issues in other APEX applications
 Supports both APEX 4.0 & 4.1
 APEX 4.2 support shortly after release
 Oracle Database 10gR2 or later
 Runs in and is integrated with
your APEX Workspace
 Single Workspace Install in eSERT 2.1
 Designed to be a part of your
development process
12

13. How it Works
 eSERT evaluates your application’s metadata for
potential security issues
 Takes only a few seconds to run
 Result is an interactive APEX application that
allows developers to easily explore and mitigate
potential threats
 Each application is scored based on eSERT’s findings
 Designed to clearly identify what needs attention
and steer developers or managers in that
direction
13

14. Classifications
 eSERT inspects APEX applications and reports on
threats in five classifications:
URL Tampering App Settings
Cross Site Scripting Page Settings
SQL Injection
14

15. Scoring
 Evaluations in eSERT will produce three scores:
 Raw
 Actual results of the evaluation
 Pending
 Raw score plus any exception - approved or not - that developers have
put in place to justify existing threats
 Approved
 Raw score plus all approved exceptions
15

16. Results
 eSERT will assign a status & color code to every
component which it evaluates:
 Pass
 Approved
 Pending
 Fail
 Rejected
 Stale
16

17. Complete Evaluation
 eSERT evaluates all components of an
application, regardless of their condition &
authorization scheme
 Nothing gets skipped
 eSERT can be pre-configured with a set of valid
values
 Which can be changed or augmented depending on your
interpretation or business needs
17

18. “Security is not a product, but
rather a process.”
18

19. Ongoing Evaluation
 eSERT allows developers to add exceptions for
false positives and acceptable risks
 All exceptions must be reviewed & approved by a
manager before the “approved” score increases
 As exceptions are logged, the value of the
attribute in question is also captured
 If this value changes at any time, the exception will be
instantly flagged as “stale” and require re-approval
19

20. Without eSERT
 Correcting each additional security vulnerability
may cause other functional issues
 Thus, a high number of vulnerabilities corrected at once
will yield more functional defects
Vulnerabilities
Time
2007 2008 2009 Untitled 1
Untitled 2
20

21. With eSERT
 Using eSERT to keep security vulnerabilities to a
minimum reduces the number of functional
defects introduced
Vulnerabilities
Time
2007 2009 Untitled 1
21

22. New Features Summary
Feature Version 2.0 (APEX 4.0) Version 2.1 (APEX 4.1)
Exceptions & Notations ✓ ✓
Social Stream ✓ ✓
Enhanced UI ✓ ✓
PDF Reports ✓ ✓
Import/Export ✓ ✓
Scheduled Evaluations ✓
Single Workspace Install ✓
SaaS (eSERT Cloud) Cloud Only
22

23. ESERT V2
D E M O N S T R A T I O N
23

24. ESERT CLOUD
24

25. eSERT Cloud
 eSERT cloud is a affordable hosted service where
anyone can upload their APEX applications and
get an instant security evaluation via eSERT
 Interactive Dashboard with summary results
 PDF Summary Report (typically 100+ pages)
25

26. How it Works - 5 Simple Steps
1) Create an account at http://enkitec.com/sert
2) Request a workspace to upload your APEX
applications into
3) Purchase evaluation credits
(1 credit = 1 application evaluation)
4) Select an application to evaluate
5) View and/or download the results
26

27. ESERT CLOUD
D E M O N S T R A T I O N
27

28. SUMMARY
28

29. Summary
 eSERT provides you with the ability to easily and
quickly identify and remedy most APEX security
vulnerabilities
 Its designed to be used both during and after
development, not as a checkpoint at the end
 As a side-effect, your developers will become more
security-conscious by using eSERT and incorporate secure
best practices by default
29

30. Customers Across All Industries
 Private Sector  Public Sector
 Multi-Channel Retailer  Intelligence Agency
 Massive application with Over 300  Over 100 internal applications
Concurrent Users
 Local Government
 Major Defense Contractor
 Internal Applications
 Hundreds of applications
 Civilian Agency
 Major Healthcare Provider
 Internet Facing
 Infrastructure Management e-Commerce Application
 Higher Education  DOD Agency
 Logistical Reports & Info
 Multiple Major Universities
 Access to student & research
information
30

31. Statement of Direction
 Version 2.2 - Q4 2012
 APEX 4.2 Support
 Based on actual release date
 Additional Reports & Analytics
 Scheduled Evaluation Enhancements
 Team Development Integration
31

32. Licensing
 eSERT
 Per Instance of APEX
 Per APEX Workspace
 Per APEX Application
 eSERT Cloud
 Per Evaluation of an Application
 Volume discounts available
32

33. Want More Details?
 Contact us for details & pricing
 sales@enkitec.com
 Americas
 +1 972 607 3751
 EMEA
 +44 7944 654510
 http://www.enkitec.com/sert
33

34. http://www.enkitec.com
34