19.7. How do you develop secure composite applications without weaknesses?The first step will be to develop security-friendly patterns of development, a set of frameworks for creating composite applications with inherently secure components. SAP will do its part by linking future versions of modeling tools such as SAP NetWeaver Visual Composer to the security operations layer of enterprise services, enabling enterprise architects to combine services in various combinations without explicitly focusing on security issues. But developers will need additional frameworks and special security training to guide them in designing applications which will deflect common attacks such as cross-site scripting, in which malicious JavaScript code is entered into a web form, and while the code won't harm the host machine, it will load and infect the next unwitting customer who attempts to access your form. Learning to thwart these attacks isn't so much of an ESA issue as it is a development-of-best-practices issue, but these issues will become much more tangible when critical processes begin to poke their heads out beyond the corporate firewall. SAP NetWeaver already includes frameworks to support secure programming. In addition, the SAP NetWeaver Developer's Guide includes a multiple-page security checklist for developers finishing their applications. The checklist leads off with questions such as:
Additional resources include the Secure Programming section on the SAP Developer Network (SDN; http://sdn.sap.com). |