WARNING: This site is intended for online use only; mass-downloading of pages degrades the server and is prohibited.
If you attempt to use tools to mass-download the site, you may be blocked permanently by automated software.
If you want to read this CertiGuide offline, please use one of the links on the left to purchase a convenient PDF copy. Thank you.

Like what you see? Get it in one document for easy printing!
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Test yourself better with 300 extra Security+ questions!
Get It Here!

Custom Search






Table Of Contents  CertiGuide to Security+
 9  Chapter 3:  Infrastructure Security (Domain 3.0; 20%)
      9  3.5  Security Baselines
           9  3.5.3  Application Hardening

Previous Topic/Section
3.5.3.1  Updates
Previous Page
Pages in Current Topic/Section
123
4
Next Page
 3.5.3.3  Email Servers
Next Topic/Section

3.5.3.2  Web Servers
(Page 4 of 4)

Hardening Custom Applications



The area of hardening applications, such as ASP pages, that your own organization’s developers wrote (or that a long-gone dot-com-heyday web consultancy created for you) is a tricky one. Unlike for web server and application platform software, there’s no web site you can go search to look for bugs in “ourinternalapp” “version 2.4”. Rather than merely keeping your eyes and ears open for the latest flaws, you must proactively look for and prevent flaws in local, homegrown applications.

[spacer]Secure Coding

Secure coding is a topic that has been in the spotlight more and more, recently, with the two leading texts in this regard being:

1. Writing Secure Code368 by Howard and LeBlanc.

2. Building Secure Software: How to Avoid Security Problems the Right Way369 by Viega and McGraw, which deals with the subject at a high level not specific to Windows.

Word of advice: Software architects familiar with UNIX tend to like the Viega and McGraw book, and Windows developers tend to prefer the Howard and LeBlanc volume..


So, You Think You’ve Got it Locked Down?

After you think your web server and server applications are secure, consider running a web security scanner on a regular basis, to make sure that you have made all necessary security improvements (as far as the scanner knows, at least), and to make sure that periodic web site and system maintenance doesn’t undo your work on securing the server.

For example, the Stealth HTTP Scanner will check for thousands of known vulnerabilities, and allow you to add your own tests, should you run into an issue it is not yet aware of.370 Another CGI scanner to consider is whisker, available at http://www.wiretrip.net/whisker, which runs on Perl on Windows or UNIX. If the scanner finds any additional vulnerability, correct them, and re-run the scanner.


 __________________

368. Howard, Michael and David LeBlanc, Writing Secure Code, Microsoft Press, November, 2001, http://www.nerdbooks.com/item.html?id=0735615888

369. Viega, John and Gary McGraw, Building Secure Software: How to Avoid Security Problems the Right Way, Addison-Wesley, September, 2001, http://www.nerdbooks.com/item.html?id=020172152X

370. Scambray, Joel and Stuart McClure, Hacking Exposed – Windows 2000 Network Security Secrets and Solutions, McGraw-Hill, September, 2001, http://www.nerdbooks.com/item.html?id=0072192623

Previous Topic/Section
3.5.3.1  Updates
Previous Page
Pages in Current Topic/Section
123
4
Next Page
 3.5.3.3  Email Servers
Next Topic/Section

If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $


Home - Table Of Contents - Contact Us

CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.