Siebel Security Hardening Guide > Securing Siebel Business Applications >

About Securing Applications

Securing applications requires analysis, monitoring, and testing. Protecting applications is crucial because an attacker who has taken over an application can execute commands with the privileges of that application. Often application-to-application security is minimal and privileges are high because these are assumed to be trusted sources. Many applications run with superuser (root) privileges, which increases the risk of serious damage if a vulnerability is exploited.

Web applications are the leading entry for most hackers and have more vulnerabilities than other applications. Web server and application server configurations play a key role in the security of a Web application. These servers are responsible for serving content and calling applications that generate content. In addition, many application servers provide several services that Web applications can use including data storage, directory services, email, messaging, and so on.

Several server-configuration problems can threaten a Web site, for example:

• Server-software configurations that permit directory listing and directory traversal attacks
• Unnecessary default, backup, or sample files including scripts, applications, configuration files and Web pages
• Improper file and directory permissions
• Unnecessary services enabled, including content management and remote administration
• Default accounts and passwords
• Administrative or debugging functions that are enabled or accessible
• Poorly configured SSL certificates and encryption settings
• Use of self-signed certificates to achieve authentication
• Use of default certificates

You can detect many of these problems with security-scanning tools. These configuration problems can compromise a Web application and successful attacks can also result in the compromise of back-end applications, including databases and corporate networks.

A strong Web application is typically deployed on a secure host (server) in a secure network using secure design and deployment guidelines. Because of the dependencies on the network environment, Web application security must be addressed in multiple layers, including securing the network, host, and application.