Saturday, January 30, 2016

Oracle Database 12c Features Now Available on apex.oracle.com

As a lot of people know, apex.oracle.com is the customer evaluation instance of Oracle Application Express (APEX).  It's a place where anyone on the planet can sign up for a workspace and "kick the tires" of APEX.  After a brief signup process, in a matter of minutes you have access to a slice of an Oracle Database, Oracle REST Data Services, and Oracle Application Express, all easily accessed through your Web browser.

apex.oracle.com has been running Oracle Database 12c for a while now.  But a lot of the 12c-specific developer features weren't available, simply because the database initialization parameter COMPATIBLE wasn't set to 12.0.0.0.0 or higher.  If you've ever tried to use one of these features in SQL on apex.oracle.com, you may have run into the dreaded ORA-00406.  But as of today (January 30, 2016), that's changed.  You can now make full use of the 12c specific features on apex.oracle.com.  Even if you don't care about APEX, you can still sign up on apex.oracle.com and kick the tires of Oracle Database 12c.

What are some things you can do now on apex.oracle.com? You can use IDENTITY columns.  You can generate a default value from a sequence.  You can specify a default value for explicit NULL columns.  And much more.

You might wonder what's taken so long, and let's just say that sometimes it takes a while to move a change like this through the machinery that is Oracle.

P.S.  I've made the request to update MAX_STRING_SIZE to EXTENDED, so you can define column datatypes up to VARCHAR2(32767).  Until this is implemented, you're limited to VARCHAR2(4000).

Tuesday, January 26, 2016

Is Oracle Application Express Secure?

Is Oracle Application Express secure?  That's the question I received today, from the customer of a partner.  The customer asked:
"Do you know if Oracle or a third-party has verified how secure APEX is against threats or vulnerabilities? It would be nice to have something published saying how secure APEX is and how it’s never been compromised."
Now I imagine smart people like David Litchfield or Pete Finnigan or Alexander Kornbrust would hope that I say something daft here.  But that's not going to happen.  As I replied to the partner:

Sorry, but this doesn't make sense, and for a couple reasons:

  1. There have been published security vulnerabilities in Application Express in the Oracle Critical Patch Update, and they have been fixed in subsequent releases of APEX.  It is incorrect to say that there have never been bugs in APEX itself.  Here's an example:  http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
  2. Secondly, even if APEX never had any security bugs in its existence, if someone built an APEX application which is susceptible to SQL Injection or cross site scripting, does that mean that APEX was compromised?
The request of this customer isn't practical for any piece of software.  If something has never been compromised, does that mean its secure?  If I find no bugs in an application written by your company, does that mean it's bug-free?

I can offer you the following:

  1. APEX 5.0.3 is the most secure version of APEX in our history.
  2. APEX 5.0.3 has more security features than any release of APEX in our history.
  3. We are never permitted to release any version of APEX with known security vulnerabilities, whether they are internally or externally filed.
  4. We routinely scan APEX itself for security vulnerabilities across a variety of threats, and do this for multiple times in a release cycle
  5. Oracle Database Cloud Schema Service runs APEX, and has endured yet another set of multiple rounds of Cloud Security testing.
  6. The Oracle Store runs APEX.
  7. APEX is used in countless military agencies and classified agencies around the globe.
  8. Even inside of Oracle, IT hosts an instance of APEX used by practically every line of business in the company, and it's cleared for the most strict information classification inside of Oracle.
  9. APEX is even used in the security products from Oracle, including Oracle Audit Vault & Database Firewall, Oracle Key Vault and Oracle Real Application Security.
There is security of APEX, and then there is security of the application you've written.  You can assess the security of an application via tools.  One of the best tools on the market is ApexSec from Recx Ltd., which we use internally for APEX applications, is used internally by the security assessment teams at Oracle for other APEX applications, and is used by numerous military and other classified agencies.

Thursday, January 21, 2016

If you use Internet Explorer, change is coming for you in Oracle Application Express 5.1

With the ever-changing browser landscape, we needed to make some tough decisions as to which browsers and versions are going to be deemed "supported" for Oracle Application Express.  There isn't enough time and money to support all browsers and all versions, each with different bugs and varying levels of support of standards.

A position that's been adopted for the Oracle Cloud services and products is to support the current version of a browser and the prior major release.  We are adopting this same standard for Oracle Application Express beginning with Oracle Application Express 5.1.  This will most likely have the greatest impact on those people who use Microsoft Internet Explorer. 

Beginning with Oracle Application Express 5.1, the planned minimum version of Internet Explorer to both build and deploy applications, will be Internet Explorer 11.  I say "planned", because it's possible (but unlikely) that Microsoft releases a new browser version prior to the release of Oracle Application Express 5.1.

Granted, even Microsoft themselves has already dropped support for any version of IE before Internet Explorer 11.  And with no security fixes planned for any version of IE prior to Internet Explorer 11, hopefully this will be enough to encourage all users of IE to adopt IE 11 as their minimum version.

Oracle APEX development and multiple developers/branches

Today, I observed an exchange inside of Oracle about a topic that comes up from time to time.  And it has to do with the development of APEX applications, and how you manage this across releases and a larger number of developers.  This topic tends to vex some teams when they start working with Oracle Application Express on broader development projects, especially when people are not accustomed to a hosted declarative development model.  I thought Koen Lostrie of Oracle Curriculum Development provided a brilliant response, and it was worth sharing with the broader APEX community.

Alec from Oracle asked:
"Are there any online resources that discuss how to work with APEX with multiple developers and multiple branches of development for an application?  Our team is using Mercurial to do source control management now. 
The basic workflow is that there are several developers who are working on mostly independent features.  There are production, staging, development, and personal versions of the application code.  Developers implement bug fixes or new features and those get pushed to the development version.  Certain features from development get approved to go to staging and pushed.  Those features in staging may be rolled back or promoted to go on to production.  Are there resources which talk about implementing such a workflow using APEX?  Or APEX instructors to talk to about this workflow?"

And to which I thought Koen gave a very clear reply, complete with evidence of how they are successfully managing this today in their Oracle Curriculum Development team.  Koen said:

"I think a lot of teams struggle with what you are describing because of the nature of APEX source code and Database-based development.  I personally think that the development flow should be adapted to APEX rather than trying to use an existing process and apply that for APEX.

Let me explain how we do it in our team:

  • We release patches to production every 3 weeks. We have development/build/stage and production and use continuous integration to apply patches on build and stage.
  • We use an Agile-based process. At the start of each cycle we determine what goes in the patch.
  • Source control is done on Oracle Developer Cloud Service (ODCS)  – we use git and source tree. We don’t branch.
  • All developers work directly on development (the master environment) for bugs/small enhancement requests. We use the BUILD OPTION feature of APEX to prevent certain functionality from being exposed in production. This is a great feature which allows developer to create new APEX components in development but the changes are not visible in the other environments.
  • For big changes like prototypes, a developer can work on his own instance but this rarely happens. It is more common for a developer to work on a copy of the app to test something out. Once the change gets approved. it will go into development.

From what I see in the process you describe, the challenge in your process is that new changes get pulled back after they have made it to stage. This is a very expensive step. The developers need to roll back their changes to an earlier state which is a very time consuming process. And… very frustrating for the individual developer.  Is this really necessary ? Can the changes not be reviewed when in development ? Because that is what is proposed in the Agile methodology: the developer talks directly to the person/team that requests the new feature and they review as early as on development.  In our case stage is only for testing changes. We fix bugs when the app is in stage, but we  don’t roll back features once they are in stage – worst case we can delay the patch entirely but that happens very rarely.

There is a good paper available by Rob Van Wijk. He describes how each developer works on his own instance but keeps his environment in sync with the master. In his case too, they’re working on a central master environment. The setup of such an environment is quite complex. You can find the paper here: http://rwijk.blogspot.com/2013/03/paper-professional-software-development.html"

Thursday, January 07, 2016

If you're new to the APEX community, here are some tips to get engaged

Last night (January 6, 2016) we had our first-in-2016 APEX Meetup meeting in Columbus, Ohio, USA.  For being on short notice, we had a nice turnout, and I was able to distribute the new apex.world stickers.  I was most impressed that a gentleman (by the name of Shannon) drove down from Cleveland, Ohio - almost 2 hours drive each way.  He's been using APEX for all of two weeks, was using it with PowerSchool, and wanted to see what this APEX was all about.

Today, I wrote on our Oracle APEX Columbus Meetup board a short summary of the information we reviewed last night.  For those people who've been doing APEX for years, none of this is going to be new.  But the information I posted may be especially helpful to those who are very new to APEX, or even curious about APEX.  I decided to simply share it again here, in the hopes that someone else just as new as Shannon will find this useful.

--

We discussed a few things last night and I wished to summarize them here:

1)  There are ways to remain connected to the APEX community via Social media:

Facebook:  https://www.facebook.com/orclapex
LinkedIn:  http://linkedin.com/groups/8263065
Twitter:  The hashtag for Oracle Application Express is #orclapex.  Most everyone who attended last night is on Twitter.  You can follow many of us.  I’m at @joelkallman.  The APEX news is at @oracleapexnews.  If you don't know anyone on twitter, just do a Twitter search for #orclapex.

I’ll be honest - almost everyone in the APEX community is heavily engaged on Twitter, a lot less on LinkedIn, and almost never on Facebook.

2)  You should get registered on https://apex.world

It’s the APEX Community site, written by others in the APEX community (outside of Oracle).  There are jobs, plug-ins, open source, twitter feeds, news, and more.  You should also get registered on Slack, because apex.world is also integrated with Slack.  Follow the instructions on apex.world to get a Slack invitation.  It’s worth it.

3)  I spoke of some upcoming conferences

There is an upcoming conference in May in Cleveland, the Great Lakes Oracle Conference.  Not only will Jason Straub and I be there, doing a couple sessions (about what’s coming in APEX 5.1), but we’re also doing a pre-conference workshop.  There will be other non-Oracle people there presenting on APEX.  You should think about presenting at this conference, and you can submit your abstracts until February.  As I tried to convey to attendees last night, don’t think that you have to submit the most exotic, obtuse topic possible.  How you’re using APEX, the challenges you’ve encountered and how you worked around them, may be a very useful topic.  The conference committee wants to expand their APEX offerings, and I think those of us in Ohio should help them. https://www.neooug.org/gloc/

b)  In June, in Chicago, is the Oracle Development Tools User Group (ODTUG) annual Kscope conference.   This is the place to be on the planet if you do any APEX whatsoever.  Just in the APEX track alone, there will be 46 sessions over 5 days.  On the Sunday before the conference starts, there will be the Sunday Symposium, which will be exclusively from the Oracle APEX product development team.  From a global perspective, this is the place to be for APEX.  It’s highly technical, and attendees and speakers from around the world assemble here.  http://kscope16.com

4)  How to get started, especially for someone who is new.  I offered a couple suggestions:

a)  Go to https://apex.oracle.com, and scroll down to the "Learn More" section, where there are links to documentation, tutorials, videos, hands-on-labs, etc.
b)  An Oracle employee mentioned that he took the APEX training class on Udemy, and for 7 hours of training, he thought it was pretty good.  I can't vouch for the training, and this isn't an official recommendation, but he thought it was worth his time and money.  He also said that while it's priced at $25, they often run specials for as low as $10.  https://www.udemy.com/create-web-apps-with-apex-5/

5)  Lastly, I showed Oracle’s community site for APEX, https://apex.oracle.com/community

I showed the numerous customer quotes we’ve received, and I put another plea out to attendees that, if you’re using APEX, please consider going through your management chain to get approvals for a quote.  At least ask.   There is no huge legal process involved, approvals can all be done via email.  The hard part is taking time out of your day job and pursuing this at your employer (or customer).  It will be a huge benefit to the entire APEX community.

P.S. I never showed it last night, but ODTUG also has a nice community site for APEX, at http://odtug.com/apex

Friday, January 01, 2016

A Few Resolutions for 2016



Jenny, from the Oracle Database Insider Newsletter, asked a number of us in the Database division at Oracle to share our New Year's resolutions for 2016.  And while I'm a bit reluctant to share this somewhat personal information, I like the fact that publicizing these resolutions may force me to remain a bit more focused on these goals.  So here goes...my resolutions for 2016:


  1. Attend an Oracle Real World Performance Training class.  I thought I knew a fair amount about the Oracle Database, SQL and tuning. But at a conference in 2015, I was able to spend some quality time around Vlado Barun from the Oracle Real World Performance team, and it quickly become clear I knew very little compared to these folks. I’m asked to diagnose “APEX issues” all the time, and the vast majority of cases are simply database configuration or SQL tuning exercises.  To become a better database developer, I need to become deeper in my understanding of the Oracle Database and performance.
  2. Broaden the message of APEX, Database and Oracle Cloud development to those we’re not reaching today.  And I specifically would like to share our message with higher education institutions and students attending university.  Developing Web and responsive applications is cool and I believe the combination of technologies (SQL, PL/SQL, APEX, Oracle Database, Cloud, REST) results in an incredibly rich application development platform.  University students probably think of “big, bad corporate” when they hear the word “Oracle”.  I want them to think “hip, cool, innovative, modern”.
  3. Be more patient and understanding of those who ask me questions.  I can actually credit a customer (Erik van Roon) who helped me to recalibrate my understanding on this topic.  Sometimes I’ll get questions where it’s clear someone hasn’t done the least bit of research into the topic.  And it was at those rare times when (to a fellow employee, never a customer), I’d reply with a lmgtfy.com link.  But as Erik correctly pointed out - I have 20 years experience, and they don’t.  Arrogance may not be the message I intend to send, but it may very well be the message that is received.  And that’s not how I wish to be perceived by anyone, ever.  Thus - time to drop my impatience and arrogance, for every occasion.
  4. Spend more time with my family.  2015 was a great year for Oracle Application Express, and I’ve never worked harder in my career than I did in 2015.  But that has a price, and I value the finite time with my family more than anything else.  While I love working for Oracle and I dearly love the team I’m blessed to work with, I value my family even more.  And I need to define a bit more rigid boundaries between work and family time.
  5. Read a novel.  When I read, it’s usually one of the following:  the Bible, a functional specification, a military history book, a computer programming/Web design book or the Wall Street Journal. My wife is an avid reader and gets such joy from well-written and captivating novels.  I’d like to expand my imagination (and vocabulary), and be able to set aside time for some reading at leisure.
  6. Learn a language.  I’ve dabbled back and forth with German over many years.  And I know enough German to order food in a restaurant.  But I’m not fluent enough for even the shortest of conversations in German. It’s time to either forge ahead with my self-study of German and practice it with the 3 native German speakers on the APEX team, or simply switch gears and direct my focus to Spanish which is probably much more practical, living in America.
  7. Exercise at least 3 times a week.  The older I get, the easier it is to gain weight and get out of shape, and the more difficult it is to lose it and get back in shape.  And by "exercise", I don't mean walk around the block.  Instead, I'm referring to something that causes you to sweat - running, biking, jumping rope, or resistance exercises (the Total Gym will work just fine!).  While I fantasize about training enough to run a 1/2 marathon in 2016, I'll be happy enough to just consistently exercise 3 times a week.
These are the goals.  Some are easy.  Some will span the entire year.  I probably won't meet them all, but they're a goal.

What are your goals for 2016?