9 tips to improve the security of your web applications

Should you be a student, a TV Show fan, a small online-shop, a small enterprise or a large corporation, you likely have a web site connected to the world wid web. You probably didn’t developped your website in PHP or in Java by yourself but rather used one of the existing (some being free of charge) framework available like WordPress for you blog, Prestashop for your online shop, Odoo, Drupal, Joomla or even Adobe CQ. While you can use a “cloud” version of these application, you might also have decided to manage it by yourself on your own server or using a hosting service like OVH, HostGator or Ikoula.

If you’ve decided to manage it by yourself, here are a few tips to ensure your server(s) is/are and remain secure:

  1. Use very strong passwords: At least 14 characters and a combination of uppercase, lowercase, numeric and special characters. Ideally change it a few times a year or at least as soon you believe your password might have been compromised. Don’t use the same password for everything.
  2. If possible, rename or disable default admin user (like admin or root) into something less common and use personnal accounts (every admin should have its own user and password). When someone leaves the company, immediately remove his/her user account from the server.
  3. Patch your systems (OS like Linux or Windows server), your middleware (like Apache or IIS), your database (MySQL, Postgress, MSSQL) and your application (like WordPress, Odoo) regularly (every week). Nowadays, most systems inform you when an update is available.
  4. Ideally, you should have a separeted test environment, being a second (set of) server(s) (that we will call the Acceptance System) replicating exactly the one you use for the publicaccess (we call it the “production system”) on which you can first test if the patches won’t disrupt, corrupt or break anything on your servers (It can happen too).
  5. Disable any un-used services on your server(s) like telnet (prefer SSH), motd, FTP (use SCP via SSH instead), IMAP, POP3 or SMTP (if you don’t use your server as a mail relay), Samba and other stuff you won’t use. Be sure to still keep a way to access your server. For Linux machines, you can use automated scripts like Bastille to help you harden your server.
  6. For your database accesses, use a specific system user per application (and per environment) that will have only the access needed on the database of the application it is used for (So, you don’t use the admin user of your database to grant access to your database for your application). If possible, restrict access to the database to the localhost or to the IP of your front-end application.
  7. If possible, force the encryption of your communication by using TLS (HTTPS instead of HTTP). For that purpose you need a cryptographic certificate (not a self-signed as it won’t be recognized by your customer’s browser). You can get free SSL/TLS certificate that will be recognized by most browser with companies like StartCom. Once your certificate installed, you can check the configuration of your SSL with the free online SSL Labs analysis tool. If you need help to configure your SSL with Apache Servers, you can use Mozilla’s SSL Configuration Generator.
  8. In order to prevent attacks like Clickjacking or Man-in-the-Middle, you can configure the HTTP(S) headers sent by your server to make it more secure (see OWASP Secure Header project for more details). Practically, you can check the status of your server’s headers on the very useful and user friendly SecurityHeaders.io website from Scott Helme. Based on the result of your servers’ hearders analysis, Scott’s website will provide you with all the necessary information to improve your headers (again, for free).
  9. Scan your server(s) in order to detect any known vulnerability. This is still possible for free with the services of BitNinja or even from one of the market’s leaders like Qualys.  If you use a Windows server, you can download Microsoft baseline Analyzer and run it against your server.