The Center for Internet Security (CIS) has released two new consensus security benchmarks for Apache Tomcat 5.5-6.0 application server and IBM DB2 v8.0-9.5 relational database management system.
The company said that the new benchmarks are the prescriptive controls guides for securely configuring systems that power business applications. In addition, the company also unveiled updated versions of three existing security benchmarks including Apple iPhone 3.1.2; HP-UX 11i v1.5.0 Unix operating system; and VMWare ESX 3.5 virtualisation server.
Apache Tomcat is an open source software implementation of the Java servlet engine and runs on web applications across a range of industries and organisations. The CIS security configuration benchmark for Apache Tomcat versions 5.5-6.0 provides prescriptive guidance for establishing a secure configuration posture for developing, deploying, assessing or securing offerings that incorporate Apache Tomcat on a Linux platform.
According to CIS, the recommendations cover twelve security categories for Apache Tomcat versions 5.5-6.0, which include installation considerations, removing extraneous resources, limiting server platform information leaks, protecting the shutdown port and tomcat configurations, configuring realms, connector security, establishing and protecting logging facilities, configuring catalina policy, application deployment, and other configuration settings considerations.
The CIS security configuration benchmark for DB2 versions 8.0-9.5 provides prescriptive configuration guidance for establishing a secure posture for developing, deploying, assessing or securing offerings that incorporate DB2 on Linux, Unix, and windows platforms, the company said.
In addition, the recommendations cover nine categories for DB2 versions 8.0-9.5 which include installation and patches, DB2 directory and file permissions, DB2 configurations, label-based access controls (LBAC), database maintenance, securing database objects, entitlements, general policy and procedures, and DB2 utilities and tools.
Blake Frantz, CTO for Center for Internet Security, said: “The CIS community expressed a need for additional guidance securing the tiers that define their business logic and store their data – the Apache Tomcat and IBM DB2 benchmarks are a response to that need. We thank the CIS community for their contributions to these important benchmarks.”