Application Hardening means to make software more secure on your servers and workstations. Such software can be a service, a database or an app.
Workstations and servers are running thousand different kinds of software and services to provide the end- user with the functionality he needs. However these softwares (and services in particular) are exploitable for an attacker. So how does one practice application hardening? The first thing is to keep all the systems and applications up to date.
System Patch Types
However, updates come in different flavours. Or sizes. Here’s a little list for you to memorize for the exam:
- Hotfix: Fixes a serious security issue and is not optional
- Patch: Provides additional functions and/ or non urgent fixes, which can be optional sometimes
- Service Pack: An assortment of hotfixes and patches to date
If you don’t know what a relational database is, you can catch up here. For all the other nerds that know what that is: read along (and get a life, NERD).
There are different ways to manage security in a DB (this will be the acronym for Relational Database here). They are arranged in Tier Models.
The least secure would be a single or one tier model. In this model the DB and the APP (Software, Service or App) are on the same system/server/ machine.
A level higher would be a 2 Tier model, in which you separate the DB and the APP on different systems. The APP might be running on a client and the DB on a Server.
We can take that model up a notch by adding one Tier more. And thus making a 3 Tier model (I know, mind blown).
In this model the DB and the APP are separated like in the 2 Tier model, but we add another Tier. A kind of man in the middle Tier to which the APP sends requests and they get evaluated. After evaluation the middle Tier reads the data and sends it to the APP, if the evaluation was successful.
Needles to say that this might be the best suggestion for application hardening.
If you create your own software you should make sure to implement a good exception handling. It’s critical for application hardening.
Don’t just output the whole exception message when you catch it, rather give some obscure output like “Please contact the sysadmins”.
Why? For three reasons:
First of all, if you output the whole exception message and stack an intruder gains a massive amount of intel about the flaws in your software.
Second, An user can’t usually even understand what a NullPointer is. Yet you expect them to do something with an exception stack? Who you’re fooling. You’re just beeing lazy.
And the most important reason: If you just put “Please contact the sysadmins” on every unhandled exception, the sysadmins are going to love you for providing them so much phone calls from users 😛