Wednesday, April 13, 2011

Malicious Code in APEX Plugins - Feedback

My previous post about Malicious Code in APEX Plugins identified the possibility of harmful code in plugins (if you haven't read it please read the post before continuing). Several people had some excellent feedback which they included in the comments section. This post summarizes their comments and provides my thoughts on them.

Oracle Maintaining Plugin Repository

The idea is for Oracle to host something similar to Apple's App Store so that all code must pass a set of standards etc. I don't work for Oracle so I can't comment on this too much and I think it's a good idea. That being said the current community plugin repository, apex-plugin.com, has an approval process before plugins are released.

Wrapped PL/SQL and Licensed Plugins

Some plugins have wrapped PL/SQL source code and obfuscated/minimized JavaScript (JS) code. Plugin developers may need to wrap their PL/SQL code since their plugins are licensed. They may also minimize their JS files for performance issues. When you use these plugins the company that developed it can help determine its legitimacy (more on this in the next section). Just because it's wrapped doesn't mean you should not install it. They're other ways to validate that it is safe to use.

Trusted Developers and Organizations

They're some companies and developers within the APEX community that are well known and trusted. These companies specialize in APEX and would never write malicious code. For example I would never hesitate to install a plugin from organizations such as (but not limited to) ClariFit, Apex Evangelists, APEX Freelancer, Skill Builders, and Sumneva.

Scalability and Upgrades

Scott Spendolini made a great comment about the scalability of plugins and upgrades. I think this has to be examined on a case by case basis. If you're using a plugin on a small application that doesn't get a lot of hits then it may be a moot point. If your application gets millions of hits a day and you use a poorly optimized plugin then maybe you need to modify it to fit your needs. When looking at the source code you may not only be looking for malicious code but also techniques to improve performance for your specific needs. If the plugin has wrapped PL/SQL you can try to contact the developer/company to address your specific needs.

Like all software, plugins may need to be upgraded as APEX evolves (and it's 3rd party add-ons like jQuery). If the plugin is open source you can easily modify the code or email the developer with a change request. I've had several people email me about bugs and feature enhancements for plugins and was able to implement them in future versions.

7 comments:

  1. Hi Martin,

    thanks for these two posts.
    I think it is very important for everyone who uses plugins to know about the risks.

    Trust is good, but you never should blindly trust anyone.

    And this is as important to know: there is no "Authority" which can give you a certificate that a plugin is bullet-proof secure and works well under whatever load you use it.

    Another thing plugin users shouldn't forget: a free (in "costs no money") plugin isn't most likely put through exzessive tests. The developer surely had tested it, but not as thorough as he would test it if he gets money for it.

    Just my 2 cents :-)

    Anyway: use plugins. Write plugins. And rate plugins. This may be the only way you can find out if it works well, or not.

    ReplyDelete
  2. When obtaining any product or service through the internet it's always a good idea to read the reviews of others. The http://www.apex-plugin.com/ site uses a rating/review of the plugins. It's a great idea to leave reviews and even better to read before installing.

    ReplyDelete
  3. Hi Martin,

    thanks for these two posts.
    I think it is very important for everyone who uses plugins to know about the risks.

    Trust is good, but you never should blindly trust anyone.

    And this is as important to know: there is no "Authority" which can give you a certificate that a plugin is bullet-proof secure and works well under whatever load you use it.

    Another thing plugin users shouldn't forget: a free (in "costs no money") plugin isn't most likely put through exzessive tests. The developer surely had tested it, but not as thorough as he would test it if he gets money for it.

    Just my 2 cents :-)

    Anyway: use plugins. write plugins. and RATE plugins. This may be the only way you can find out if it works well, or not.

    ReplyDelete
  4. Hi Martin,

    it is a important topic you writing about. I am with you with most of the discussed topics.
    I am only sad that you don't trust my plug-ins...

    Hope you may change your opinion in future? :)

    Tobias

    ReplyDelete
  5. Hi Tobias,

    I only listed several companies off the top of my head and was unable to list all the trusted developers and organizations in this post. For sure you're on my trusted list of developers :-)

    Martin

    ReplyDelete
  6. -- From Peter Raganitsch (for some reason Blogger seems to be deleting comments) --


    Hi Martin,

    thanks for these two posts.
    I think it is very important for everyone who uses plugins to know about the risks.

    Trust is good, but you never should blindly trust anyone.

    And this is as important to know: there is no "Authority" which can give you a certificate that a plugin is bullet-proof secure and works well under whatever load you use it.

    Another thing plugin users shouldn't forget: a free (in "costs no money") plugin isn't most likely put through exzessive tests. The developer surely had tested it, but not as thorough as he would test it if he gets money for it.

    Just my 2 cents :-)

    Anyway: use plugins. write plugins. and RATE plugins. This may be the only way you can find out if it works well, or not.

    ReplyDelete
  7. Best thing is to install the plugin and review the plugin code before start using it.

    Cheers,
    V

    ReplyDelete