APEX application passed Ministry of Health security check

One of the APEX applications I am working on just passed the government security audit with flying color. It is a portal where the cardholders can check out their medical claims history, payment etc. The database has the cardholder personal information, address, date of birth and claims history.

Needless to say, it must passed government security check before they let you open it up to the public. The last thing they want is on the 630 headline news like yahoo 😅

Here is want I have done.

1. Salted Password

In the worst case scenario, whoever has the login data still need year over year to brute-force the password.

2. APEX-SERT

Our application has 200+ pages, the first time I ran APEX-SERT, OMG, I was SHOCKED. There are over 2000 actionable items to fix. It took me over a week to clean up all the mess.

3. SQL Injection

All records more than one rows are displayed via Interactive report or classic report. They can add filters via the build-in UI, I don't take parameters directly. By design, I am pretty much immune from this problem.

4. SSL Server Test

First test our score was C, not good. We fixed the followings and end up with an A 😃

1. Reissue the SHA1 certificate with SHA256
2. Update java to JDK7 with UnlimitedJCEPolicyJDK7
3. Update tomcat to v7 and customize the server.xml

There are probably a few more minor items but I can't recall now.

Just want to say big thank you to

Oracle APEX team

APEX-SERT team

Defuse security who wrote the salted password article

QUALYS SSL Labs for their free SSL test site