Problem solve Get help with specific problems with your technologies, process and projects.

Web security benchmarks

Learn how to increase your security posture and what resources are available to security admininstrators who want to quickly ramp up their posture of their protected systems.

Most security administrators are familiar with the estimate that 90% of successful Web server penetrations could have been prevented by simple administrative safeguards, such as monitoring security bulletins and maintaining an adequate patch level. Indeed, you've probably read numerous articles and tips like this one offering you ideas on how to increase your security posture. But how often do you put these ideas into practice?

Fortunately, there are a number of wonderful resources out there for administrators seeking to quickly ramp up the security posture of their protected systems. If you simply commit to spending a few hours each week tackling a few of the most common vulnerabilities, you'll quickly make great strides towards improving your network security. Let's take a look at some of the more useful security benchmarks available today:

  • Microsoft's Security Checklists offer operating system and application-specific advice in an easy-to-understand manner. Their site includes almost 20 different checklists and resource guides designed for various Microsoft products.

  • One of the best sources around for security benchmarks is the Center for Internet Security. They offer baseline configurations for operating systems, applications and network devices and also provide benchmark assessment tools. These automated tools check various Windows/Unix operating systems for known vulnerabilities and provide you with a security "score."

  • The SANS Top 20 Most Critical Internet Security Vulnerabilities list is continuously updated by SANS and the FBI to include what they judge to be the greatest threats out there. If you only have time to fix a few things, this should be your shopping list.

  • If you're running Unix systems on your network, you'll probably want to read the CERT UNIX Security Checklist. It provides four detailed sections offering advice on securing the basic Unix operating system, major Unix services, specific versions of Unix and basic patching.

  • Application developers should check out the Web Application Security Checklist on Enterprise IT Planet. This checklist provides a decent template for incorporating security into Web applications.

All of these benchmarks and checklists offer you a great starting point for enhancing the security of your environment. However, keep in mind that security is more than just checking a bunch of boxes -- it's a state of mind!

More Information

Learn how to harden a Web server and apply countermeasures to prevent hackers from breaking into a network.

Take an in-depth look at how Web sites are attacked and how to reduce the likelihood that an attack is successful.



About the Author

Mike Chapple, CISSP is an IT Security Professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles including the CISSP Prep Guide and Information Security Illuminated.

This was last published in September 2005

Dig Deeper on Web application and API security best practices