KuppingerCole Report
Executive View
By Alexei Balaganski

Oracle APEX – Secure Low-Code Application Development Platform

Oracle Application Express (APEX) is a low-code development platform that allows business users with limited IT skills to design and maintain scalable enterprise applications, storing their data securely in the Oracle Autonomous Database.

1 Introduction

The massive shortage of qualified personnel to operate modern complicated IT infrastructures has led not just to the notorious skills gap in the security industry: the same shortage affects application development as well. Even the largest enterprises with well-staffed internal IT departments struggle to keep up with constantly changing business requirements to update their business software accordingly. Making changes in “off-the-shelf” enterprise products or SaaS applications is even more difficult: it may take months for such a request to be implemented and even longer for it to be deployed, even for the smallest changes in functionality.

Unsurprisingly, this has led to a rise of “Shadow IT”, when business line employees, frustrated by the shortcomings of available applications, would utilize unsanctioned tools and services to improve their productivity. Although such developments can significantly improve productivity and flexibility of business processes, uncontrolled proliferation of shadow IT without proper central governance has massive negative implications: further fragmentation of IT landscapes and data siloes, wasted time and resources, communications problems, and, last but not least, compliance issues and increased risk of data loss. Attempts to limit shadow IT with tools like cloud access security brokers have proven to be unsuccessful. Thus, an alternative trend has been on the rise in recent years: Citizen Development.

Citizen development is all about allowing business users with little to no programming skills to develop applications with convenient and uncomplicated tools sanctioned and controlled by central IT. As a general trend, it is by no means new: business users have been building their apps for years using scripts and spreadsheets. However, next-generation specialized development platforms focus not only on making these developments more comfortable and convenient but on ensuring their compliance with corporate security policies and government regulations and on the ability to prevent data leaks and breaches.

The market for low-code and no-code development platforms has been booming in recent years, with multiple vendors competing in offering the most intuitive GUI-based development environments for business users. Their primary goal is, of course, to meet the increasing need for applications without facing the shortage of skilled developers, improving and balancing productivity for both business and IT workers. Usually offered as software as a service from the cloud, these solutions help to put shadow IT under centralized governance, but often fail to take other security and compliance risks into consideration.

Oracle APEX is a low-code application development platform with a unique twist: it is entirely implemented within Oracle Database, making it portable (available on-premises, in a cloud, or just about anywhere where a running Oracle instance can be found), highly secure out of the box thanks to multiple controls built into the database itself, and powerful enough to run a wide variety of apps – from simple spreadsheets to large-scale projects with thousands of users. There is no need to deploy any additional software or manage infrastructure, and the service is completely free for all existing Oracle customers. It is also available as a part of the Oracle Cloud service portfolio with a generous free tier.

2 Product Description

Oracle Application Express (APEX) is a low-code application development platform for designing and deploying data-driven business applications. Created in 2004 by Michael Hichwa, a software developer working at Oracle (incidentally, he is heading the project to this day as the SVP for Software Development), APEX predates the concept of citizen development by at least a decade. Although the product has been originally marketed as a Rapid Application Development (RAD) tool for professional developers and database administrators, its extremely low learning curve makes it suitable for users with little programming skills, thus aligning perfectly with the much more recent idea of a citizen developer.

With just a few clicks, users can create web applications to visualize, analyze or manage their data, either from an existing database or imported from a spreadsheet, without writing a single line of code. More complex use cases might involve the declarative design of new data models or utilizing built-in objects or plug-ins, thus seamlessly spanning the spectrum from no-code to low-code to “as much code as needed”. The resulting apps are full-stack web applications comprising HTML/CSS pages and forms, JavaScript-powered visualization and logic, and even connectors to external data sources or APIs – all generated automatically by the platform.

The platform offers a choice of out-of-the-box UI themes for applications, ensuring that even the simplest app has a responsive, ergonomic, and good-looking interface. A number of common pre-built components are available as well, including calendars, surveys, project tracking, and others. If needed, all aspects of the UI can be customized. A choice of authentication and access management options is supported, including both enterprise protocols and social logins.

Data management and analytics are obviously major use cases for data-driven apps. For this, APEX offers rich reporting capabilities with functions like sorting, filtering, search, and aggregation. A notable “killer feature” is faceted search, which can analyze input data automatically and create a multi-dimensional navigation UI automatically, without any user input. Reports in various formats are available out of the box as well. Naturally, if users have some rudimentary understanding of SQL, they can extend their apps in numerous ways. But even if they don’t, APEX offers an intuitive method of declarative design of data structures, which is automatically turned into SQL by the platform.

Perhaps the single most important distinction of APEX that puts it apart from all competitors is that the platform is implemented in Oracle PL/SQL and is thus runs entirely within any Oracle Database instance. In fact, since Oracle 11g, it is installed by default and is thus available to any Oracle Database customer at no cost, which makes APEX arguably the most popular (at the very least, the most widely deployed) low-code application platform in the world.

This architecture is the direct opposite of the way application platforms are traditionally designed – with multiple middleware tiers and a high degree of abstraction at every layer. However, this approach allows for a dramatic reduction of overall complexity, not just for users, but for operations and maintenance as well. By getting rid of such concepts as object-relational mapping, remote procedure calls, or database connection pooling, the APEX platform can achieve a much higher degree of performance and scalability without any bottlenecks.

Since APEX relies on an existing database to serve as its underlying infrastructure, its implementation is extremely lightweight and completely stateless, requiring much fewer computing resources and scaling easily to accommodate even large-scale business-critical use cases. In a way, APEX is a serverless application platform, with all the underlying complexity hidden from both citizen developers and administrators responsible for operations.

Obviously, APEX applications can only be deployed in an environment where an Oracle database is available, which indicates a strong case of vendor lock-in. On the other hand, Oracle Database is the platform’s only requirement. Since these databases are ubiquitous in many on-premises environments (in large enterprise data centers or on developers’ own laptops) or in any notable public cloud, it can be argued that APEX is much more flexible in terms of available deployment options than many other low-code solutions.

However, even the term “deployment” does not fully apply in this case. Since the whole platform, including all application resources, logic, and data, already resides in a database instance, there is nothing to deploy at all – users only need to share a URL to access their application. Besides convenience, this has massive implications for security and compliance: sensitive data never needs to leave the database and remains protected by the multitude of security controls built into an Oracle database. Unfortunately, a notable disadvantage here is that this approach makes version control difficult. Even though the whole application can be exported from the platform, the resulting single SQL file is not very suitable for tracking changes in application logic. More advanced version control can only be achieved with third-party utilities.

Speaking of the third-party ecosystem, the biggest paradox of Oracle APEX is that has a massive worldwide community with thousands of APEX developers in most countries, and yet, outside of the Oracle customer base, it has remained virtually unknown. For years, the company has considered the platform an integral part of the Oracle Database and hasn’t invested enough in promoting it as a solution for business users. This has, of course, changed with the advent of the Oracle Cloud.

For a number of years, cloud infrastructure and services have been a crucial area of strategic development for Oracle. With massive investments into both their second-generation infrastructure and flagship services like the Oracle Autonomous Database, the company’s low-code development platform has finally received a more prominent place in Oracle’s portfolio.

Since 2020, APEX is officially a standalone, full-featured service in Oracle Cloud. Even though it is still powered by the Oracle Autonomous Database in the background, customers no longer need to deal with this infrastructure layer in any way. The Autonomous Database’s auto-scaling capabilities allow the company to offer the service with a 100% consumption-based pricing just like any other cloud service. Oracle Cloud takes care of any potential management, security, and availability issues as well, turning APEX apps in the cloud into truly serverless applications.

It’s worth noting that the platform is still actively developed, with new features and improvements added into every release. At the time of writing, the latest Oracle APEX version is 20.1, released in the summer of 2020. It has introduced several notable improvements including Oracle’s new Redwood User Interface, search engine optimized URLs for applications, and improvements in application lifecycle management (addressing some of the challenges of integrating APEX into existing development workflows).

3 Strengths and Challenges

Oracle APEX is a really interesting and even somewhat polarizing solution. On one hand, its architecture, original purpose, and the whole history position it apart from just about every potential competitor in the market for low-code and no-code platforms. Professional developers might have mixed feelings about it, finding its design goals counterintuitive and integrations into existing CI/CD pipelines insufficient.

However, customers looking beyond the “established norms” of software development, especially the business users lacking these preconceived notions, are much more expected to embrace the simplicity, scalability, and low learning curve of the platform, especially when it is consumed directly in the cloud in a truly serverless fashion. Perhaps the biggest remaining challenge for Oracle is to raise the general awareness about APEX beyond their traditional customer base and let any aspiring citizen developer become part of a vibrant global community.


  • Full-featured no-code/low-code development platform built entirely into an Oracle Database
  • Flexible deployment options thanks to the ubiquitous presence in on-prem, cloud, and hybrid environments
  • Stateless and serverless architecture allows for massive scalability and high availability, suitable for mission-critical apps
  • Responsive, dynamic UI with rich data management and analysis capabilities
  • Massive reduction of security and compliance risks compared to “traditional” low-code platforms
  • A global ecosystem with a vibrant, engaged community


  • Proprietary technology, significant risk of vendor lock-in
  • Application lifecycle management is still quite rudimentary
  • Visibility outside of the Oracle customer base is still limited; the company is seldom considered a low-code/no-code solution provider


©2021 KuppingerCole Analysts AG all rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole´s initial view. Through gathering more information and performing deep analysis, positions presented in this document will be subject to refinements or even major changes. KuppingerCole disclaim all warranties as to the completeness, accuracy and/or adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole do not provide any legal services or advice and its publications shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion expressed may be subject to change without notice. All product and company names are trademarks™ or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.

KuppingerCole Analysts support IT professionals with outstanding expertise in defining IT strategies and in relevant decision-making processes. As a leading analyst ompany, KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business.

KuppingerCole, founded in 2004, is a global, independent analyst organization headquartered in Europe. We specialize in providing vendor-neutral advice, expertise, thought leadership, and practical relevance in Cybersecurity, Digital Identity & IAM (Identity and Access Management), Cloud Risk and Security, and Artificial Intelligence, as well as for all technologies fostering Digital Transformation. We support companies, corporate users, integrators and software manufacturers in meeting both tactical and strategic challenges and make better decisions for the success of their business. Maintaining a balance between immediate implementation and long-term viability is at the heart of our philosophy.

For further information, please contact clients@kuppingercole.com.