Needless to say, it must passed government security check before they let you open it up to the public. The last thing they want is on the 630 headline news like yahoo 😅
Here is want I have done.
In the worst case scenario, whoever has the login data still need year over year to brute-force the password.
2. APEX-SERT
Our application has 200+ pages, the first time I ran APEX-SERT, OMG, I was SHOCKED. There are over 2000 actionable items to fix. It took me over a week to clean up all the mess.
All records more than one rows are displayed via Interactive report or classic report. They can add filters via the build-in UI, I don't take parameters directly. By design, I am pretty much immune from this problem.
First test our score was C, not good. We fixed the followings and end up with an A 😃
- Reissue the SHA1 certificate with SHA256
- Update java to JDK7 with UnlimitedJCEPolicyJDK7
- Update tomcat to v7 and customize the server.xml
There are probably a few more minor items but I can't recall now.
Just want to say big thank you to
Oracle APEX team
APEX-SERT team
Defuse security who wrote the salted password article
QUALYS SSL Labs for their free SSL test site
No comments:
Post a Comment