Did you know that the vast majority of internet attacks nowadays are focused on web applications and web servers in general? Almost any business has an online presence with a website, e-commerce web application, web front with database at the back etc etc.
Hackers have found ways to infiltrate internal networks via those web applications that most of the times are insecurely coded and are full of vulnerabilities. Attacks and exploits range from code injections, sql injection, cross site scripting (XSS) etc. Via those exploits, attackers can steal sensitive information from the databases on the back of the web-apps, or even manage to gain shell access on the database or web server itself. Gaining shell access allows the attacker to create a “pivot-point” from where he can execute further attacks to get deeper into the network.
The following are some important suggestions to follow for hardening your web applications:
- First and most important is to adopt secure coding. Your software developers or the vendor from where you purchased the web application or whoever designed and coded your website, must have implemented security inside the code itself. Some examples include the filtering of input data in web forms (to block sql injections or XSS), the avoidance of buffer overflows, the avoidance of remote file injection and local file injection etc.
- Don’t allow the web server to communicate with the database as an administrator user (sa).
- Don’t run the webserver or the database server with administrator priviledges.
- Configure engress firewall filtering in order to prohibit the database from communicating with the outside world.
- Remove command execution (e.g xp_cmdshell) capability on the database.
- And ofcourse harden all software and applications with latest patches.
- Implement host intrusion detection and log monitoring.
Those are some of the most important steps you need to take to enhance the security of your web-apps and backend databases.