Bookmark and Share

Press Releases

The Center for Internet Security Announces Industry's Only Consensus Security Benchmarks for Apache Tomcat and IBM DB2

CIS wraps up 2009 with new user-driven security configuration standards to encourage safer security practices

Washington, DC - December 18, 2009 - The Center for Internet Security (CIS) today announced the public release of two new consensus security benchmarks for Apache Tomcat 5.5-6.0 application server and IBM DB2 v8.0-9.5 relational database management system. The new benchmarks are the only prescriptive controls guides available today for securely configuring these widely used systems that power a broad range of business applications. The benchmarks are available as free downloads at http://cisecurity.org/en-us/?route=downloads.

"The CIS community expressed a need for additional guidance securing the tiers that define their business logic and store their data - the Apache Tomcat and IBM DB2 benchmarks are a response to that need," said Blake Frantz, chief technology officer for Center for Internet Security.

In addition, CIS announced availability of updated versions of three existing consensus security benchmarks: Apple iPhone 3.1.2; HP-UX 11i v1.5.0 UNIX operating system; and VMWare ESX 3.5 virtualization server.

"We thank the CIS community for their contributions to these important benchmarks," added Frantz.

CIS Security Configuration Benchmark for Apache Tomcat 5.5-6.0
Apache Tomcat is an open source software implementation of the Java servlet engine and is one of the most used application servers by the Java development community. Tomcat runs numerous large-scale, mission-critical web applications across a diverse range of industries and organizations. Organizations using Tomcat are advised to tighten the configuration of their systems in order to reduce exposure to threats introduced by local users and the possibility of sensitive information disclosure. By doing so, organizations can also ensure the availability of processes that leverage Tomcat and access to useful logging information when investigating security events.

The CIS Security Configuration Benchmark for Apache Tomcat versions 5.5 - 6.0 provides prescriptive guidance for establishing a secure configuration posture for developing, deploying, assessing or securing solutions that incorporate Apache Tomcat on a Linux platform. The recommendations cover twelve security categories including:

  • Installation considerations
  • Removing extraneous resources
  • Limiting server platform information leaks
  • Protecting the shutdown port and Tomcat configurations
  • Configuring realms
  • Connector security
  • Establishing and protecting logging facilities
  • Configuring Catalina policy
  • Application deployment
  • Other configuration settings considerations

CIS Security Configuration Benchmark for IBM DB2 v8.0-9.5
IBM DB2 is a market share and performance leader in relational database management systems. These systems manage vast amounts of information to support mission-critical business applications — and when breached can cripple an organization. While there are many causes of data breaches, the cornerstone of an effective data security policy is ensuring that the databases themselves are configured to be as secure as possible.

The CIS Security Configuration Benchmark for DB2 versions 8.0-9.5 provides prescriptive configuration guidance for establishing a secure posture for developing, deploying, assessing or securing solutions that incorporate DB2 on Linux, UNIX, and Windows platforms. The recommendations cover nine security categories including:

  • Installation and patches
  • DB2 directory and file permissions
  • DB2 configurations
  • Label-Based Access Controls (LBAC)
  • Database maintenance
  • Securing database objects
  • Entitlements
  • General policy and procedures
  • DB2 utilities and tools

The CIS Public-Private Collaboration Process
CIS guides are created using a consensus review process comprised of volunteer and contract subject matter experts. Consensus participants provide perspective from a diverse set of backgrounds including consulting, software development, audit and compliance, security research, operations, government, and legal. Because they are user-driven, CIS benchmarks are widely accepted and adopted in government, business, industry and academia as the basis for enterprise system and network configuration policies.

By using the benchmarks, security professionals save tens of thousands of dollars in developing custom policies and avoid reinventing the wheel. Further, they enable compliance with the configuration requirements of standards such as PCI and ISO, and regulations such as FISMA, GLBA, HIPAA and Sarbanes-Oxley.

CIS Community Acknowledgements
CIS Security Configuration Benchmark for Apache Tomcat versions 5.5 - 6.0

CIS extends its gratitude to Authors including Raymond Forbes.

CIS also extends its thanks to Contributors and Reviewers Harold Cochran; Mike de Libero, MDE Development, LLC; Jasaun Neff; Bedirhan Urgun, Turkcell; and other CIS Subject Matter Experts (SMEs) who participated in the Apache Tomcat benchmark.

CIS Security Configuration Benchmark for IBM DB2 versions 8.0-9.5

CIS extends its gratitude to Author Nam Wu, Qualys, Inc.

CIS also extends its thanks to Contributors and Reviewers Paul Griffiths, Goldman Sachs; David Futter; and other CIS Subject Matter Experts (SMEs) who participated in the IBM DB2 benchmark.

About CIS
The Center for Internet Security (CIS) is a non-profit organization that helps enterprises reduce the risk of business and e-commerce disruptions resulting from inadequate technical security controls, and provides enterprises with resources for measuring information security status and making rational security investment decisions. CIS develops and distributes consensus based benchmarks for secure configuration of operating systems, software applications and network devices. The consensus security configuration benchmarks are downloaded more than one million times a year, and are globally accepted as user-originated, de facto standards. More than 150 leading corporations, government entities, universities and security organizations are CIS members. For more information, visit www.cisecurity.org.

# # #

All company and product names mentioned may be trademarks of the respective companies with which they are associated.

Media Contact:

Leslie Kesselring
Kesselring Communications
(503) 358-1012
leslie@kesselring.net