General Web Application Security Strategies

Some of the most important steps you can take to protect your web application and make it resilient to common compromise techniques . This is by no means an exhaustive list, but instead is more of a “top ten” things to check.

Backup host, website, and database

Make sure you have working, regular backups of your host OS, website and (if applicable) database. Common mistakes include not backing up frequently enough (or at all) and not having a cleanly restorable copy of the database content.

Patch, Patch, Patch

Keep up to date with available patches for your OS, web applications, libraries, and any add-ons. Join application and security-related mailing lists, and check regularly for updates so that you do not miss patching an announced vulnerability.

Get Behind a WAF

A Web Application Firewall (WAF) can not only protect your application from many common types of exploits, but many WAF vendors offer “virtual patching” that automatically update their WAFs to block known exploits of vulnerable applications.

Secure Your Application Logins

You should take measure to protect your site’s login credentials and login processes:

  • All administrative and authenticated traffic to your website should be over https, using a valid SSL certificate.
  • If possible, limit administrative access to your website to on-campus and VPN access only.
  • By eliminating local-to-the-application logins and using CAS logins (aka GT accounts, login.gatech.edu), you gain many benefits, including (in some cases) multi-factor authentication, centrally managed passwords & resets, and the elimination of brute-force login attempts against your application. 
  • If you must have local-to-the-application users and passwords (including admin accounts), make sure that passwords are chosen wisely and changed periodically.
Keep it Separate

Don’t allow a web application compromise to lead to further unauthorized access to your resources. Deploy your web server in a DMZ network whose access policies limit the resources it can access (e.g. don’t run your web server on the same network as your desktops or your file server).

Configure, stash, and know your logs

When something does go wrong, log analysis may be your only forensic tool:

  • Log all accesses to your web application, including application-specific information, such as user login information.
  • If possible, log remotely as well as locally, so that a compromised or incapacitated server doesn’t render logs untrustworthy or unavailable (GT Cyber Security offers remote logging services for Unix and Windows servers).
  • Retain your logs for as long as you can afford to do so (at least 6 months?).
  • Know the format of log events that normal, legitimate traffic to your website generate, so that if you have to later examine your logs for anomalies, you will be able to identify suspicious activity.
Keep an eye on your files

Consider running tripwire, or something similar, to alert you of changes to files in your document root directory. Some web application-specific add-ons have started to offer similar functionality (e.g. for WordPress, see the free plugins Wordfence and Sucuri).




Harden the server

To prevent web application exploits from escalating to OS-level exploits, harden your OS. For linux, consider deploying SELinux.

Keep it secret

Make sure to implement proper SSL access for your site. Make SSL mandatory for the download and submission of sensitive data to the site, as well as for any and all administrative access.

Use OIT Webhosting for LAMP stack applications

If your site is PHP-based (custom code, WordPress, Drupal, Joomla!, etc), strongly consider running it on OIT Webhosting. Not only does it provide protection via a robust WAF, it brings self-service utility to many of the items listed above.