Security Vulnerabilities in Oracle HTML DB

Oracle’s rapid development web application tool HTML DB (recently renamed to Application Express) seems to be a perennial topic for my IT team.

Oracle offers this description of the capabilities of HTML DB:

Using only a web browser and limited programming experience, you can develop and deploy professional-looking applications that are both fast and secure.

What Oracle doesn’t mention in their description is that you could easily expose more than you wanted to. As with most apps that expose your data, security and best practices should be the main focus.

Burleson Consulting has provided a great outline of many of the pitfalls of HTML DB. These vulnerabilities are common on web servers, but what this document highlights is that Oracle has not tied up all the loose ends for you.

It’s clear that HTML DB/Application Express is not something to be entered into lightly. If setup carefully it can be used to increase security by reducing the number of access points for your data, but to get to that point without making the type of mistake that lands your name in the paper you need to be ready to address database security, network security, web security and user education. Of course a passing familiarity with how Oracle typically does things wouldn’t hurt either.

Check out Burleson Consulting’s article on HTML DB vulnerabilities for more info.

htmldb, html db,. oracle, application express, database, database administration, dba

Cube Farm – The Song

Cube FarmFor those who slave away in a cube farm, this song’s for you.

My Cubicle
Lyrics by: Morning Sidekick
Performed by: Jym Britton
Parody on You’re Beautiful by James Blunt

My Cubicle
My cubicle
It’s One of Sixtytwo
It’s small space
In a crowded place
Just a six-by-six foot booth
And I hate it that’s the truth

Thanks to my former cubemate Dee for sending the song to me.