Skip to main content

Application hardening policies

Application hardening policies are a group of software quality policies used by the Spectra Assure platform to help you improve the overall software package security.


These policies are used during software package analysis to check your compiled code and inform you if any of the built-in validation rules are violated. Specifically, application hardening policies focus on detecting missing vulnerability mitigations in your software to prevent attackers from exploiting any security gaps.

In this context, application hardening gaps cover security issues detected in Windows and Linux binaries, like missing vulnerability protections, insecure coding practices, outdated toolchains, inadequate prevention methods, and missing fortified functions. Application hardening policies alert you if your Windows and Linux software has not been developed according to secure coding practices or if it is not employing common risk mitigation strategies. Advanced users of Spectra Assure can adjust how each policy violation is treated and add their own exceptions to policy configuration files.

In the Spectra Assure SAFE report, these policy violations can be found in the Application Hardening issue category and cause risk in the SAFE Assessment Hardening category.

Software developers will benefit the most from the guidance provided by these policies. When Spectra Assure products detect an application hardening gap in a software package, its exact location is highlighted in the analysis report. Development teams can then apply the remediation advice for each particular policy to resolve detected issues.

Security challenges and practicesโ€‹

Risk (or threat) mitigation is a collection of remedial actions, tools, and techniques used to identify and block potential threats or malicious activities found in your system, as well as lessen the impact of a cyber attack or data leak. Attackers can take advantage of any gaps in your software to access your sensitive information and cause some serious damage to your organization's resources and systems. Therefore, it is essential to detect and mitigate all potential vulnerabilities before your software reaches production.

With the threat landscape evolving rapidly and unpredictably, there is an increased need for risk mitigation strategies. Keeping security measures up to date is becoming a significant challenge for organizations. Thus, it is crucial to be adequately prepared to promptly resolve any security misconfigurations in your software and prevent them from being exploited. This is where application hardening comes in handy.

Application hardening refers to system protection methods that attempt to increase the natural immunity of operating systems or software applications by reducing their attack surface. Some techniques used to achieve this include Address Space Layout Randomization (ASLR), Data Execution Prevention (DEP), stack canaries, and more.

  • ASLR is a technique that works on the principle of randomization. Whenever a program is run, its libraries, stack, base, and heap are placed in unpredictable positions across the address space of a process, making their location more difficult to guess. It needs to be enabled together with DEP to be truly effective.
  • DEP is a security feature that prevents damage from security attacks attempting to run malicious code from system memory locations reserved only for data structures and variables. It needs to be enabled together with ASLR to be truly effective.
  • Stack canaries are a buffer overflow protection technique where a random value (the stack canary) is placed on the stack every time a function is called and is expected to stay unmodified the whole time the function is running. If the value changes, it is a strong indication of potential compromise.

In addition to employing various application hardening strategies, you can increase your software security if you use a memory-safe language whenever possible. However, this does not eliminate the need for vulnerability mitigations, which give your code another layer of protection. To avoid potential security gaps, a key step in your software development lifecycle is implementing relevant secure coding practices. Well-defined, realistic coding standards need to be established and applied consistently to promptly and efficiently catch bugs introduced in development, especially as your projects grow more complex and larger in scale. Clean code, reliable third-party components, secure code reviews, up-to-date toolchains, as well as proper error handling are all practical ways to ensure your software and your organization are kept safe.

Policies in this categoryโ€‹

Windows application hardening policies cover the following:

  • inefficiently implemented or missing vulnerability mitigations
  • insecure compilation and memory management practices
  • inadequate toolchain configuration

Linux application hardening policies cover the following:

  • inefficiently implemented or missing vulnerability mitigations
  • missing fortified functions
  • inadequate binary planting prevention

Windows application hardening policiesโ€‹

Show/hide all Windows application hardening policies

Linux application hardening policiesโ€‹

Show/hide all Linux application hardening policies