Re: Web Application Security

["Jason Thompson" <securitux () gmail com>]

Is the application hosted on a shared web server and application
server or does the web / app have its own hardware?

If it's shared your options are fairly limited. I know this sounds
basic, but I'd have a vulnerability assessment done on the web app
which should reveal things such as frames and cross-<whatever>
scripting vulnerabilities that can allow phishing, as well as other
issues with the app which are likely the result of poor coding. I've
done a number of these recently because of customers having their app
hosted and being unable to add much protection. And the issues I find
are usually coding problems. For monitoring you can have the logs from
the web application sent to a centralized repository for analysis if
logging of requests and responses is built into the app. I think the
hosting provider should provide you access to the logs of your web
instance as well. It's a more reactive solution but combined with
proper proactive coding practices you'll be in better shape than 90+%
of the other apps out there.

Also, if the provider is responsible for that server, then they should
have some sort of SLA / policy around security and maintenance. Make
sure they are adhering to it... or that they have one.

-J

On 22 Jan 2008 06:39:13 -0000,  <mahendra_yn () yahoo com> wrote:
> Hi all,
>
> I need to harden a web application which is hosted in a datacentre.I need to monitor the webapplication 24/7.I also 
> need to ensure that there would be no phising attacks on this website,I know there are a couple of 3rd party web 
> application firewalls available which can do all this,but the question is will the datacentre allow me to do this-as 
> a 3rd party service provider?if it doesnt allow then what are the other best options available for me.
>
> Thanks!