Oracle’s rapid development web application tool HTML DB (recently renamed to Application Express) seems to be a perennial topic for my IT team.
Oracle offers this description of the capabilities of HTML DB:
Using only a web browser and limited programming experience, you can develop and deploy professional-looking applications that are both fast and secure.
What Oracle doesn’t mention in their description is that you could easily expose more than you wanted to. As with most apps that expose your data, security and best practices should be the main focus.
Burleson Consulting has provided a great outline of many of the pitfalls of HTML DB. These vulnerabilities are common on web servers, but what this document highlights is that Oracle has not tied up all the loose ends for you.
It’s clear that HTML DB/Application Express is not something to be entered into lightly. If setup carefully it can be used to increase security by reducing the number of access points for your data, but to get to that point without making the type of mistake that lands your name in the paper you need to be ready to address database security, network security, web security and user education. Of course a passing familiarity with how Oracle typically does things wouldn’t hurt either.
Check out Burleson Consulting’s article on HTML DB vulnerabilities for more info.