Back to the Basics #8: Application Security

When covering application security, there are three basic application types you should consider:

  1. Standard applications that you install directly on your server’s operating system and run only when you need them
  2. Applications that are run as daemons or services, starting at boot time and continuing to run as long as the server is on
  3. Web applications that run with server-side scripting systems such as PHP or Perl, or client-side applications, such as those written in Javascript.

To secure each type, you need to take unique precautions.

For standard applications, the most important thing you can do to secure them is keep them updated. Anytime an update comes out for an application on your server, there is a good chance that there are security fixes in the update. Therefore, updating is the best way to avoid unnecessary security holes.

Daemons also need updates, but since they run on your virtual private server all the time, you should also consider adjusting how they are executed. The most obvious way to start a daemon and keep it running on your server is to run it as the root user, but this is definitely not the most secure method. Instead, you should create a unique user (or users) for running your services.

Web applications should be written well, checked for vulnerabilities, and updated frequently. You should also consider using an application firewall to add another layer of security. We will take a closer look at web applications in part 10 of this “Back to Basics” series.