How about using the standard APEX error handling procedure?: APEX 4.1 &#8211; Error Handling Improvements &#8211; Part 1 | Inside Oracle APEX by Patrick Wolf
What is the specific security issue you are facing?
This sounds like a generic penetration test, perhaps something along the lines of "Error messages reveal the underlying technology" or "Error messages can contain information helpful to an attacker". This is because of the ORA- messages. I would push back on this and see if you can argue the point that;
a) The technology can not be hidden, we (for example) have written detection routines for nessus to detect APEX without relying on any error output.
b) Ask for a *specific* example where the framework error message has lessened the security posture of the application/framework.
c) If you cannot then you really do need help to ensure that any changes/patches to the framework do not decrease application stability. What is the risk to the business? Can the business accept this low risk?
d) Just because somebody saw an 'ORA-01403: no data found' message once doesn't instantly mean you are insecure.
Though saying that, it would be a good feature to suggest, certainly a 'turn all errors off' might easily combat these types of over-zealous security reports: https://apex.oracle.com/pls/apex/f?p=55447
I finally found how this can be done. You will need to modify the package APEX_040200."WWV_FLOW_PAGE". Procedure: "RENDER_ERROR_PAGE". If you ever patch/upgrade APEX you will most likely need to remodify this package. For anyony looking for the solution for APEX 4.1, simply modify the WWV_FLOW_ERROR package owned by APEX_040100.