Hardening the OpenHack App

Oracle and Microsoft use generic Web error pages and stored procedures.

OpenHack 4 was designed to test the strength of Web application development techniques. To illustrate these techniques, eWeek Labs asked Oracle Corp. and Microsoft Corp. to recode an application we built, with each vendor using the programming techniques and security mechanisms it recommends to its customers.

The application—the user-facing part of eWeeks eXcellence Awards Web site—has been used in production for the last two years. The application is complex enough to require a variety of security-hardening techniques while still small enough to be understood quickly.

The application, as originally developed by eWeek Labs, was written in JavaServer Pages. It runs on The Apache Software Foundations Tomcat application server and stores data in IBMs DB2 Universal Database 7.2. (Both the application server and database ran on Red Hat Inc.s Red Hat Linux.)

Oracle chose to deploy the application on its Oracle9i Application Server Release 2. Since this is a Java 2 Enterprise Edition-based application server, Oracle was able to use our code directly as a base for its efforts. (For full network topology, see diagram.) Oracle used Oracle9i Database Release 2 as its database and deployed the Web application and database servers on Red Hat Linux Advanced Server 2.1.

Microsoft developed its version of our application using C# and deployed it using ASP (Active Server Pages) .Net and Microsofts IIS (Internet Information Services) Web server with .Net Framework libraries installed.

Microsoft used Microsoft SQL Server 2000 as its database and deployed the Web application and database servers on Windows 2000 Advanced Server.

Reading the Oracle and Microsoft source code side by side provides a very interesting contrast between the Java and .Net Web programming architectures; well compare specific parts of the code online after completion of the test (at OpenHack.com).

When we provided our code to Oracle and Microsoft, we already considered it quite secure, although both companies added further security improvements.

However, just in case something unexpected comes up, we wont be starting this years eXcellence Awards process until after the OpenHack project is complete. Given the auditing and testing the eXcellence Awards application will have received at that point, it should be one of the most secure Web applications on the planet.