Application server security introduction

The application server is a critical system component upon which the Sterling™ Order Management System Software applications run.

However, unlike the operating systems and database management systems, the Center for Internet Security (CIS) currently does not have hardening benchmarks for application servers such as Oracle WebLogic.. Security Technical Implementation Guides (STIG) or hardening checklists produced by the Defense Information Systems Agency (DISA) are written for a generic application server. Given the lack of consensus-built and publicly peer reviewed hardening checklists, it is recommended that you work with your application server vendor for the overall hardening recommendations.

At IBM® developerWorks®, experts at IBM have provided recommended hardening measures to strengthen the security of a WebSphere® Application Server environment.

Here are a few basic best practices to consider making your application server and web server more secure. Configuration settings for each project are different, so work with your application server or web server vendor on specific implementation.
  • Enable only those application and web server functions that are absolutely necessary. Default server configurations often expose a wide variety of services unnecessarily increasing the risk to the system.
  • Consider Transport Layer Protection controls:
    • Only use secured Web communications. Enable SSL/TLS to protect data when it is being transmitted.
    • Only use strong SSL Cipher Suites - Attackers could view and modify seemingly encrypted SSL communications, resulting in a breach of confidentiality and integrity. Entire sessions could be compromised.
    • Enhance the application security to only send cookies over a secure channel by configuring the secure attribute.
      Note: As a prerequisite, deploy the application on Servlet Container version 3.0, and ensure that the web.xml file is compatible with version 3.0.
      The secure attribute is an option that can be set by the application server when sending a new cookie to the user within an HTTP Response. The purpose of the secure attribute is to prevent cookies from being observed by unauthorized parties due to the transmission of the cookie in clear text. To accomplish this goal, browsers that support the secure attribute sends cookies with the secure attribute when the request is going to an HTTPs page. This means that the browser does not send a cookie with the secure attribute set over an unencrypted HTTP request.
      To configure secure attribute for the session cookie, apply the following configuration in the WEB-INF/web.xml file of the target application and then restart your application server.
      <session-config>
   <cookie-config>
	<secure>true</secure>
   </cookie-config>
</session-config>

      For more information about the secure attribute, see Secure Cookie Attribute.

    • Consider restricting cookies to HTTP only. Using the HttpOnly flag when generating a cookie helps mitigate the risk of client side script accessing the protected cookie (if the browser supports it).
    For more information on securing the transport layer of your environment, refer to the Open Web Application Security Project (OWASP) article called Transport Layer Protection Cheat Sheet, which provides guidance on securely designing and configuring transport layer security for an application.
  • Disable Information Disclosure by your web server wherever possible – Web server data or debugging information, such as web server type, or certain HTTP error messages can be used as clues to form an attack against your system. Web server configurations often are set to reveal this type of information by default. Consider disabling these features:
    • Disclosing web server type and version information
    • Directory listing requests
    • Disclosing information about invalid Directory listing requests
    • HTTP OPTIONS requests
    • HTTP TRACE requests
The following topics provide guidance on how to secure specific critical resources in application servers upon which Sterling Order Management System Software applications rely: