When we check Oracle Application Express documentation in chapter Managing Application Security, we can read this : "Administrators are primarily responsible for ensuring the security of the Oracle Application Express installation, while developers are responsible for building secure applications". Just based on this sentence we can see that APEX security is multi role topic. APEX administrator is responsible (hopefully communicating that with developers) for various instance security setting and enabling and disabling APEX features. APEX developer is responsible for building secure applications and this means far more then just set up authorization and authentication. Regardless of the security settings if a developer will not watch for things like SQL injection and Cross-site scripting an application will not be secure. And we must not forget (and this can be easily overlooked) if we are using ORDS we also need to properly set this component.
It this 3 time 45 minutes presentation we will address this issues and we will show with practical examples how set up environment and how to build a secure APEX application.