Applications are the most difficult parts of an IT infrastructure to secure because of their complexity and because they often need to accept input from a variety of users. Here are guidelines to lowering the risk of a system intrusion because of an application flaw:
- Assume all installed applications are flawed—dont rely on the security programmed into them.
- Physically remove from the system all applications not being used.
- Use firewalls, content filters and OS user authentication features to restrict access to the application, and provide access only to those who absolutely must have it.
- Update all applications to the latest patches when security bulletins are released.
- Internally developed applications need to be code-reviewed for security weaknesses. Consider an external security review for critical applications.
- Externally facing Web applications are high-risk applications because they are a bridge between the outside world and internal customer databases. Be sure to add code that can block or otherwise safely deal with all of the following hostile inputs: missing page parameters, parameters that are unusually long, parameters will nulls or hexadecimal encoding, parameters with Web browser script blocks (which are used to create server-side scripting attacks), and parameters with quotes and semicolons (likely attempts to send hostile SQL commands through to the database).
- If possible, write applications in languages that run in virtual machines–such as Java, Visual Basic .Net or C#–because they provide an extra layer of security protection. Avoid C and C++ because they make it easy to write applications that allow buffer overflow attacks.
Also in this Special Report
- Ignorance: The Hackers Best Friend
- Security Roundtable
- Here Be Dragons: Web Services Risks
- Threats to Come
- Trail of Destruction: The History of the Virus
- Community Builds Security: Labs Answers Your Security Questions
- WLAN Hardening Checklist
- Operating System Hardening Tips