Rob Kraus | November 18, 2011
Recently, I had the pleasure of working with an organization doing a terrific job at hardening their network against attacks.
Servers locked down. Check!
Routers and switches secured. Check!
Clear-text protocols disabled. Check!
Applications secured. Whoops!
Company policies dictated strict adherence to National Institute of Standards and Technology (NIST) guidelines for hardening infrastructure, operating systems, and effective and secure use of protocols. This is a good start and helped the organization build secure software images for many of their desktop and server deployments.
However, after closer review, the organization had issues with deploying applications with the same amount of rigor.
Perhaps they did not pay as much attention to build and deployment standards for the critical applications they implemented. No policies or procedures were developed to ensure applications undergo the same meticulous method of prepping for deployment as the operating systems are subject to.
The organization took a lot of time to put together a great program for hardening infrastructure but forgot to include guidelines for secure application deployment.
That sounds complicated you say? In some cases it can be, but in many cases it is just as simple as asking. Many software vendors have already addressed security, at least to some extent, and developed secure configuration guides for their customers.
Contacting your vendors and asking if they have guides to ensure applications are configured and deployed securely can significantly reduce vulnerabilities in your environment. And, this isn’t just application settings, but may also include configuration guidelines for supporting servers, databases, firewalls, and other associated systems.
Some good guidelines to follow:
• Ensure corporate policies include directives for hardening applications.
• Consult your software vendors to determine if they can provide a secure configuration or hardening guide
• Ask vendors about secure configuration guidelines before purchasing their product
• Ask vendors how they handle distributing updates addressing vulnerabilities found in their applications
POST A COMMENT