Securing an application involves securing much more than just the application itself; the app is only the beginning
“As a software developer, you have a lot to worry about when writing and testing your code. But if you faithfully use secure coding guidelines from OWASP (the Open Web Application Security Project), test your code with security tools, and conduct peer code reviews, then your application will be secure, giving you worry-free sleep at night.”
If you are a software developer, being aware of OWASP secure coding principles is absolutely vital and has no margin for error. It is critical that your application be free of the vulnerable areas that are so easily compromised and could lead to the exposure of the entire app environment.
But there is more to application security than just securing your application. Sure, other people may be responsible for the other parts, but it is still important that you know what those other parts are. If your organization is small, the people responsible for the other parts of application security may not be fully aware of their implicit responsibilities.
Securing the Web Server
If you’re a Web application developer, then your application is probably running on a Web server. In a larger and more complex environment, your app may be running on a separate server, but for the sake of illustration, I’ll keep things simple.
The Web server (Web server software), such as Internet Information Services (IIS), Apache, WebLogic or iPlanet—is almost as complex as an operating system. Regardless of which Web server software your organization is using, there are some excellent guidelines for securing them. My favorite is Guidelines on Securing Public Web Servers, published by the U.S. National Institute of Standards and Technology (NIST).1
The topics in this publication include:
Planning and managing Web servers
Securing the Web server (this includes configuring access controls and server settings)
Securing Web content
Using authentication and encryption technologies
Web server administration (this covers logging, backups, and content management).
Each chapter includes checklists that the Web server administrator can use to make sure that all aspects of the Web server are configured correctly.
Without these safeguards, an intruder will be able to issue commands to the Web server that may enable the intruder to bypass authentication controls, view or alter sensitive information, or completely take over the system that the Web server is running on. All of this can occur even if all of the required steps are taken to secure the application itself.