You must first determine a baseline for application security before you can begin the process of hardening the technology. In this video, you’ll learn some best practices for security baselining and some techniques for hardening the operating system and application environment.
<< Previous Video: Secure Coding ConceptsNext: Application Patch Management >>
There are many different aspects to securing an application. And that’s because an application has so many different components associated with it. So and important thing to do is to identify all of those different components, and understand how the application is used by each one of those.
So look at the browser that’s being used by the application. Look at the operating system it’s running on. Does it have any service packs, or any security patches that need to be associated with it?
You need to understand exactly the way the application is running. Because if any one of those things changes then we need to be aware of it, and understand how that impacts the security of the application. And of course, you have so many applications to choose from. You have to do this for every single one that you have. And they’re all going to change over time.
There’s going to be updates to the operating system. There’s going to be updates to the browser. Maybe someone else uses a different browser. Is that are appropriate browser to use for this application? You as the security professional have to make that decision.
The baseline is going to be updated constantly by, not only security patches and normal operating system patches, the application itself can change. So of course you have to keep track of that. And then the other applications on the same workstation and on the same server are going to change. So you also have to keep track of those. Especially on servers– if a server happens to be taken over by a bad guy using a different app, they may possibly have access to this other application and be able to share information between them.
After you do a major update, after you do a major change to your workstations, make sure that you do another baseline. Make sure you understand the impact that’s going to have. Make sure that the system remain secure by adding these additional patches. You don’t want to get in a situation where you’ve updated an operating system, you’ve added a new patch, and unfortunately you’ve opened up that operating system in the application to other types of vulnerabilities.
We’ve talked about hardening operating systems. But you also have to think about hardening the applications as well. And a number of the best practices for operating systems still apply for these applications. For instance, we want to make sure that the operating system this application is running on is secure as possible. So make sure that we have the latest security patches, make sure that we have the latest service packs, so that nobody can get into the operating system and perhaps gain control of that application.
The application itself is going to have updates. You’re going to get updates from the manufacturer. You’re going to update the application if you wrote it in house. There will be changes associated with that.
These changes may bring new features to the application. They maybe bug fixes. And for everything that changes, we need to have an understanding of how that impacts the security of the application itself.
You all should also use the best practice of the least privilege access. You don’t want the application to have read access to an area that it should not have read access. You don’t want it to be able to delete files that perhaps it should not be able to delete. And normally these file access, and the ability to delete files, isn’t a problem until somebody gains access to the application who shouldn’t have that access, and finds ways to have the application delete files for us.
If the application itself never had access to delete files then that’s one thing you’ll never have to worry about. By setting those least privilege policies now you can be assured that, should something odd happen– a bad guy get hold of the application, be able to manipulate the app, or perhaps the application just have a bug– it’s not going to cause a problem for other people.
In many environments you’ll even see the application machines, these workstations, are very tightened down. You can’t change the background on your desktop. You can’t install new applications. You can’t change colors on the screens. You can’t change fonts because the security administrators know that every single one of these changes could impact the stability and the security the operating system.
So by hardening the system, and hardening the way the application is going to work, you’re going to have a much safer environment for everyone.