Siebel CRM Siebel Security Hardening Guide Siebel Innovation Pack 2015 E24815-01 |
|
Previous |
Next |
View PDF |
Securing applications requires analysis, monitoring, and testing. Protecting applications is crucial because an attacker who has taken over an application can execute commands with the privileges of that application. Often application-to-application security is minimal and privileges are high because these are assumed to be trusted sources. Many applications run with superuser (root) privileges, which increases the risk of serious damage if a vulnerability is exploited.
Web applications are the leading entry for most hackers and have more vulnerabilities than other applications. Web server and application server configurations play a key role in the security of a Web application. These servers are responsible for serving content and calling applications that generate content. In addition, many application servers provide several services that Web applications can use including data storage, directory services, email, messaging, and so on.
Several server-configuration problems can threaten a Web site, for example:
Server-software configurations that permit directory listing and directory traversal attacks
Unnecessary default, backup, or sample files including scripts, applications, configuration files and Web pages
Improper file and directory permissions
Unnecessary services enabled, including content management and remote administration
Default accounts and passwords
Administrative or debugging functions that are enabled or accessible
Poorly configured TSL certificates and encryption settings
Use of self-signed certificates to achieve authentication
Use of default certificates
You can detect many of these problems with security-scanning tools. These configuration problems can compromise a Web application and successful attacks can also result in the compromise of back-end applications, including databases and corporate networks.
A strong Web application is typically deployed on a secure host (server) in a secure network using secure design and deployment guidelines. Because of the dependencies on the network environment, Web application security must be addressed in multiple layers, including securing the network, host, and application.