Security matters, obviously.

Security is one of the most critical aspects of any web application. As low-code development continues to accelerate application delivery, ensuring that security best practices are followed can sometimes fade into the background, unlike delivery speed and convenience. That’s where the Quality Assurance module of APE comes in! It contains a set of United Codes security checks, as well as all the APEX-SERT rules, which can help you to identify potential security vulnerabilities early in the development cycle.

With APE and APEX-SERT, you can evaluate selected APEX applications on many topics, including Authentication, Authorization, SQL Injection, Cross-Site Scripting (XSS), URL Tampering, and many more. And if you have specific requirements, you can even write your own rules, too!

In this post, we’ll explore how to set up APE to run Quality Assessments, which can significantly enhance the resilience and integrity of your applications.

Quality Rules

The Quality Assurance feature in APE empowers development teams to systematically ensure application quality and adherence to best practices. This comprehensive toolset helps organizations implement and enforce consistent standards across their APEX applications, resulting in more maintainable, reliable, and high-quality software. Quality Rules are based on SQL queries and classified into different categories, such as 'Best practice', 'Consistency', and 'Performance'. But we'll focus on 'Security'.

Important: To use the APEX-SERT rules, you must purchase an APE license.

Each rule has a detailed overview of the SQL query being used, as well as additional info on justification and how to fix the issue.

Quality Standards

With all the rules in place, you can create Quality Standards, which are basically groups of rules. If you don't want specific rules to be checked during a Quality Assessment, you have the option to disable them here.

Quality Assessments

To scan your application(s), you need a Quality Assessment. The process is easy with just 3 simple steps:

1. Define scope: Select the workspace, database scheme, application(s), or even specific pages or page groups.

2. Select one or more standards.

3. Run the assessment.

After the assessment has completed, you get a detailed overview of all the potential vulnerabilities. In the overview on the left, you can browse issues by rule, component, or severity.

At this point, we can see that there are issues with our application. For example, there are a few Page Processes without an Authorization Scheme, which is a risk because they can be called directly using a URL. For each issue, more details are available, and you can quickly go to the specific component by clicking the 'Fix' icon.

Another example would be Duplicate Page Submissions. It's a good practice to disable this for DML pages, so that the same page cannot be submitted more than once. For other pages, this might be less important, but those pages still show up in the list with issues. You can easily add an exception for these pages, which will mark the result as excluded in the current assessment. In the next run, the component will not be included in the assessment at all for the selected rule.

With APEX-SERT and our own United Codes rules combined, there are more than 130 security rules available in APE. It's a pretty extensive list!

Adding custom rules

As mentioned before, you can add your own rules too, which can be a great advantage when your application(s) require customs checks.

Let’s say we want to scan our ORDS Resource Handlers for the use of an 'auth_key' bind variable. This can be an HTTP header or a URI parameter, but it must be present in the source. We can write a custom query for this.

You can add the new rule to any existing Quality Standard, but for the purpose of this blog post, a new standard, 'ORDS Handlers', has been created, containing only this new rule.

Now we are ready to run the assessment!

As we can see, no issues have been found, and we're sure that each of our ORDS Handlers contains the bind variable.

Summary

With a combination of the United Codes security checks, as well as all the APEX-SERT rules, APEX Project Eye is a powerful ally that can help you identify potential security vulnerabilities! Also, possibilities are endless with the option to add custom rules.

Making sure your applications are secure has never been easier!