The massive shortage of qualified personnel to operate modern complicated IT infrastructures has led not just to the notorious skills gap in the security industry: the same shortage affects application development as well. Even the largest enterprises with well-staffed internal IT departments struggle to keep up with constantly changing business requirements to update their business software accordingly. Making changes in “off-the-shelf” enterprise products or SaaS applications is even more difficult: it may take months for such a request to be implemented and even longer for it to be deployed, even for the smallest changes in functionality.
Unsurprisingly, this has led to a rise of “Shadow IT”, when business line employees, frustrated by the shortcomings of available applications, would utilize unsanctioned tools and services to improve their productivity. Although such developments can significantly improve productivity and flexibility of business processes, uncontrolled proliferation of shadow IT without proper central governance has massive negative implications: further fragmentation of IT landscapes and data siloes, wasted time and resources, communications problems, and, last but not least, compliance issues and increased risk of data loss. Attempts to limit shadow IT with tools like cloud access security brokers have proven to be unsuccessful. Thus, an alternative trend has been on the rise in recent years: Citizen Development.
Citizen development is all about allowing business users with little to no programming skills to develop applications with convenient and uncomplicated tools sanctioned and controlled by central IT. As a general trend, it is by no means new: business users have been building their apps for years using scripts and spreadsheets. However, next-generation specialized development platforms focus not only on making these developments more comfortable and convenient but on ensuring their compliance with corporate security policies and government regulations and on the ability to prevent data leaks and breaches.
The market for low-code and no-code development platforms has been booming in recent years, with multiple vendors competing in offering the most intuitive GUI-based development environments for business users. Their primary goal is, of course, to meet the increasing need for applications without facing the shortage of skilled developers, improving and balancing productivity for both business and IT workers. Usually offered as software as a service from the cloud, these solutions help to put shadow IT under centralized governance, but often fail to take other security and compliance risks into consideration.
Oracle APEX is a low-code application development platform with a unique twist: it is entirely implemented within Oracle Database, making it portable (available on-premises, in a cloud, or just about anywhere where a running Oracle instance can be found), highly secure out of the box thanks to multiple controls built into the database itself, and powerful enough to run a wide variety of apps – from simple spreadsheets to large-scale projects with thousands of users. There is no need to deploy any additional software or manage infrastructure, and the service is completely free for all existing Oracle customers. It is also available as a part of the Oracle Cloud service portfolio with a generous free tier.
2 Product Description
Oracle Application Express (APEX) is a low-code application development platform for designing and deploying data-driven business applications. Created in 2004 by Michael Hichwa, a software developer working at Oracle (incidentally, he is heading the project to this day as the SVP for Software Development), APEX predates the concept of citizen development by at least a decade. Although the product has been originally marketed as a Rapid Application Development (RAD) tool for professional developers and database administrators, its extremely low learning curve makes it suitable for users with little programming skills, thus aligning perfectly with the much more recent idea of a citizen developer.
The platform offers a choice of out-of-the-box UI themes for applications, ensuring that even the simplest app has a responsive, ergonomic, and good-looking interface. A number of common pre-built components are available as well, including calendars, surveys, project tracking, and others. If needed, all aspects of the UI can be customized. A choice of authentication and access management options is supported, including both enterprise protocols and social logins.
Data management and analytics are obviously major use cases for data-driven apps. For this, APEX offers rich reporting capabilities with functions like sorting, filtering, search, and aggregation. A notable “killer feature” is faceted search, which can analyze input data automatically and create a multi-dimensional navigation UI automatically, without any user input. Reports in various formats are available out of the box as well. Naturally, if users have some rudimentary understanding of SQL, they can extend their apps in numerous ways. But even if they don’t, APEX offers an intuitive method of declarative design of data structures, which is automatically turned into SQL by the platform.
Perhaps the single most important distinction of APEX that puts it apart from all competitors is that the platform is implemented in Oracle PL/SQL and is thus runs entirely within any Oracle Database instance. In fact, since Oracle 11g, it is installed by default and is thus available to any Oracle Database customer at no cost, which makes APEX arguably the most popular (at the very least, the most widely deployed) low-code application platform in the world.
This architecture is the direct opposite of the way application platforms are traditionally designed – with multiple middleware tiers and a high degree of abstraction at every layer. However, this approach allows for a dramatic reduction of overall complexity, not just for users, but for operations and maintenance as well. By getting rid of such concepts as object-relational mapping, remote procedure calls, or database connection pooling, the APEX platform can achieve a much higher degree of performance and scalability without any bottlenecks.
Since APEX relies on an existing database to serve as its underlying infrastructure, its implementation is extremely lightweight and completely stateless, requiring much fewer computing resources and scaling easily to accommodate even large-scale business-critical use cases. In a way, APEX is a serverless application platform, with all the underlying complexity hidden from both citizen developers and administrators responsible for operations.
Obviously, APEX applications can only be deployed in an environment where an Oracle database is available, which indicates a strong case of vendor lock-in. On the other hand, Oracle Database is the platform’s only requirement. Since these databases are ubiquitous in many on-premises environments (in large enterprise data centers or on developers’ own laptops) or in any notable public cloud, it can be argued that APEX is much more flexible in terms of available deployment options than many other low-code solutions.
However, even the term “deployment” does not fully apply in this case. Since the whole platform, including all application resources, logic, and data, already resides in a database instance, there is nothing to deploy at all – users only need to share a URL to access their application. Besides convenience, this has massive implications for security and compliance: sensitive data never needs to leave the database and remains protected by the multitude of security controls built into an Oracle database. Unfortunately, a notable disadvantage here is that this approach makes version control difficult. Even though the whole application can be exported from the platform, the resulting single SQL file is not very suitable for tracking changes in application logic. More advanced version control can only be achieved with third-party utilities.
Speaking of the third-party ecosystem, the biggest paradox of Oracle APEX is that has a massive worldwide community with thousands of APEX developers in most countries, and yet, outside of the Oracle customer base, it has remained virtually unknown. For years, the company has considered the platform an integral part of the Oracle Database and hasn’t invested enough in promoting it as a solution for business users. This has, of course, changed with the advent of the Oracle Cloud.
For a number of years, cloud infrastructure and services have been a crucial area of strategic development for Oracle. With massive investments into both their second-generation infrastructure and flagship services like the Oracle Autonomous Database, the company’s low-code development platform has finally received a more prominent place in Oracle’s portfolio.
Since 2020, APEX is officially a standalone, full-featured service in Oracle Cloud. Even though it is still powered by the Oracle Autonomous Database in the background, customers no longer need to deal with this infrastructure layer in any way. The Autonomous Database’s auto-scaling capabilities allow the company to offer the service with a 100% consumption-based pricing just like any other cloud service. Oracle Cloud takes care of any potential management, security, and availability issues as well, turning APEX apps in the cloud into truly serverless applications.
It’s worth noting that the platform is still actively developed, with new features and improvements added into every release. At the time of writing, the latest Oracle APEX version is 20.1, released in the summer of 2020. It has introduced several notable improvements including Oracle’s new Redwood User Interface, search engine optimized URLs for applications, and improvements in application lifecycle management (addressing some of the challenges of integrating APEX into existing development workflows).
3 Strengths and Challenges
Oracle APEX is a really interesting and even somewhat polarizing solution. On one hand, its architecture, original purpose, and the whole history position it apart from just about every potential competitor in the market for low-code and no-code platforms. Professional developers might have mixed feelings about it, finding its design goals counterintuitive and integrations into existing CI/CD pipelines insufficient.
However, customers looking beyond the “established norms” of software development, especially the business users lacking these preconceived notions, are much more expected to embrace the simplicity, scalability, and low learning curve of the platform, especially when it is consumed directly in the cloud in a truly serverless fashion. Perhaps the biggest remaining challenge for Oracle is to raise the general awareness about APEX beyond their traditional customer base and let any aspiring citizen developer become part of a vibrant global community.
4 Related Research
Leadership Compass: Enterprise Databases in the Cloud – 70309
Whitepaper: Key Criteria for Assessing a Cloud Service Provider Security – 80403
Executive View: Oracle Database Security Assessment – 70965
Executive View: Oracle Identity Cloud Service – 80156
Blog: Will 2020 Be the Year of Oracle Cloud?