Hardening the OpenHack App

By Timothy Dyck  |  Posted 2002-10-14 Print this article Print

Oracle and Microsoft use generic Web error pages and stored procedures.

OpenHack 4 was designed to test the strength of Web application development techniques. To illustrate these techniques, eWeek Labs asked Oracle Corp. and Microsoft Corp. to recode an application we built, with each vendor using the programming techniques and security mechanisms it recommends to its customers.

The application—the user-facing part of eWeeks eXcellence Awards Web site—has been used in production for the last two years. The application is complex enough to require a variety of security-hardening techniques while still small enough to be understood quickly.

The application, as originally developed by eWeek Labs, was written in JavaServer Pages. It runs on The Apache Software Foundations Tomcat application server and stores data in IBMs DB2 Universal Database 7.2. (Both the application server and database ran on Red Hat Inc.s Red Hat Linux.)

Oracle chose to deploy the application on its Oracle9i Application Server Release 2. Since this is a Java 2 Enterprise Edition-based application server, Oracle was able to use our code directly as a base for its efforts. (For full network topology, see diagram.) Oracle used Oracle9i Database Release 2 as its database and deployed the Web application and database servers on Red Hat Linux Advanced Server 2.1.

Microsoft developed its version of our application using C# and deployed it using ASP (Active Server Pages) .Net and Microsofts IIS (Internet Information Services) Web server with .Net Framework libraries installed.

Microsoft used Microsoft SQL Server 2000 as its database and deployed the Web application and database servers on Windows 2000 Advanced Server.

Reading the Oracle and Microsoft source code side by side provides a very interesting contrast between the Java and .Net Web programming architectures; well compare specific parts of the code online after completion of the test (at OpenHack.com).

When we provided our code to Oracle and Microsoft, we already considered it quite secure, although both companies added further security improvements.

However, just in case something unexpected comes up, we wont be starting this years eXcellence Awards process until after the OpenHack project is complete. Given the auditing and testing the eXcellence Awards application will have received at that point, it should be one of the most secure Web applications on the planet.

Timothy Dyck is a Senior Analyst with eWEEK Labs. He has been testing and reviewing application server, database and middleware products and technologies for eWEEK since 1996. Prior to joining eWEEK, he worked at the LAN and WAN network operations center for a large telecommunications firm, in operating systems and development tools technical marketing for a large software company and in the IT department at a government agency. He has an honors bachelors degree of mathematics in computer science from the University of Waterloo in Waterloo, Ontario, Canada, and a masters of arts degree in journalism from the University of Western Ontario in London, Ontario, Canada.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel