How This Book Is Organized


The content of this book is organized into seven parts:

Part I: Introduction

Part I introduces the current state of the industry, business challenges, and various application security issues and strategies. It then presents the basics of security.

Chapter 1: Security by Default

This first chapter describes current business challenges, the weakest links of security, and critical application flaws and exploits. It introduces the security design strategies, concepts of patterns-driven security development, best practices, and reality checks. It also highlights the importance of security compliance, Identity Management, the Java platform, and Personal Identification technologies such as Smart Cards and Biometrics. In addition, this chapter presents security from a business perspective and offers recommendations for making a case for security as a business enabler that delivers specific benefits.

Chapter 2: Basics of Security

This chapter introduces the fundamentals of security, including the background and guiding principles of various security technologies. It also provides a high-level introduction to securing applications by using popular cryptographic techniques. In addition, it discusses basic concepts about the role of directory services and identity management in security.

Part II: Java Security Architecture and Technologies

Part II provides in-depth coverage and demonstration of security practices using J2SE, J2EE, J2ME, and Java Card technologies. It delves into the intricate details of Java platform security architecture and its contribution to the end-to-end security of Java-based application solutions.

Chapter 3: The Java 2 Platform Security

This chapter explores the inherent security features of the various Java platforms and the enabling of Java security in stand-alone Java applications, applets, Java Web start (JNLP) applications, J2ME MIDlets, and Java Card applets. It also explores how to use Java security management tools to manage keys and certificates. This chapter also discusses the importance of applying Java code obfuscation techniques.

Chapter 4: Java Extensible Security Architecture and APIs

This chapter provides an in-depth discussion of the Java extensible security architecture and its API framework as well as how to utilize those API implementations for building end-to-end security in Java-based application solutions. In particular, the chapter illustrates how to use Java security APIs for applying cryptographic mechanisms and public-key infrastructure, how to secure application communication, and how to plug in third-party security providers in Java-based applications.

Chapter 5: J2EE Security Architecture

This chapter explains the J2EE security architecture and mechanisms and then illustrates how to apply them in the different application tiers and components. It features in-depth coverage of the J2EE security mechanisms applied to Web components (JSPs, Servlets, and JSFs), business components (EJBs), and integration components (JMS, JDBC, and J2EE connectors). This chapter also highlights J2EE-based Web services security and relevant technologies. In addition, it illustrates the different architectural options for designing a DMZ network topology that delivers security to J2EE applications in production.

Part III: Web Services Security and Identity Management

Part III concentrates on the industry-standard initiatives and technologies used to enable Web services security and identity management.

Chapter 6: Web Services SecurityStandards and Technologies

This chapter explains the Web services architecture, its core building blocks, common Web services security threats and vulnerabilities, Web services security requirements and Web services security standards and technologies. It provides in-depth details about how to represent XML-based security using industry-standard initiatives such as XML Signature, XML Encryption, XKMS, WS-Security, SAML Profile, REL Profile and WS-I Basic Security Profile. In addition, this chapter also introduces the Java-based Web services infrastructure providers and XML-aware security appliances that facilitate support for enabling security in Web services.

Chapter 7: Identity ManagementStandards and Technologies

This chapter provides an in-depth look at the standards and technologies essential for managing identity information. It highlights the identity management challenges and then introduces the architectural models for implementing standards-based identity management. It illustrates how to represent XML standards such as SAML, XACML and Liberty Alliance (ID-*) specifications for enabling federated identity management and identity-enabled services.

Part IV: Security Design Methodology, Patterns, and Reality Checks

Part IV describes a security design methodology and introduces a patterns-driven security design approach that can be adopted as part of a software design and development process.

Chapter 8: The Alchemy of Security DesignSecurity Methodology, Patterns, and Reality Checks

This chapter begins with a high-level discussion about the importance of using a security design methodology and then details a security design process for identifying and applying security practices throughout the software life cycle including architecture, design, development, deployment, production, and retirement. The chapter describes various roles and responsibilities and explains core security analysis processes required for the analysis of risks, trade-offs, effects, factors, tier options, threat profiling, and trust modeling. This chapter also introduces the security design patterns catalog and security assessment checklists that can be applied during application development to address security requirements or provide solutions.

Part V: Design Strategies and Best Practices

Part V presents the security patterns, strategies, and best practices categorized specific to J2EE application tiers, Web services, Identity Management, and Service Provisioning.

Chapter 9: Securing the Web TierDesign Strategies and Best Practices

This chapter presents seven security patterns that pertain to designing and deploying J2EE Web-tier and presentation components such as JSPs, servlets, and other related components. Each pattern addresses a common problem associated with the Web-tier or presentation logic and describes a design solution illustrating numerous implementation strategies. It describes the results of using the pattern, highlights security factors and their associated risks when using the pattern, and demonstrates verification of pattern applicability through the use of reality checks. The chapter also provides a comprehensive list of best practices for securing J2EE Web components and Web-based applications.

Chapter 10: Securing the Business TierDesign Strategies and Best Practices

This chapter presents seven security patterns that pertain to designing and deploying J2EE Business-tier components such as EJBs, JMS, and other related components. Each pattern addresses a set of security problems associated with the Business tier and describes a design solution illustrating numerous implementation strategies along with the results of using the pattern. It highlights security factors and associated risks of using the Business-tier security pattern and finally verifies pattern applicability through the use of reality checks. The chapter also provides a comprehensive list of best practices and pitfalls in securing J2EE business components.

Chapter 11: Securing Web ServicesDesign Strategies and Best Practices

This chapter presents three security patterns that pertain to designing and deploying Web services. The chapter begins with a discussion of the Web services security infrastructure and key components that contribute to security. Then it describes each pattern, addresses the security problems associated with Web services, and describes a design solution illustrating numerous implementation strategies and consequences of using the Web services pattern. It also highlights security factors and associated risks using the pattern and verifies pattern applicability using reality checks. Finally, the chapter provides a comprehensive list of best practices and pitfalls in securing Web services.

Chapter 12: Securing the IdentityDesign Strategies and Best Practices

This chapter presents three security patterns that pertain to Identity Management. Each pattern addresses an Identity Management-specific issue, describes a design solution illustrating implementation strategies, presents the results of using the pattern, and then highlights security factors and associated risks using the pattern. Finally, the chapter verifies pattern applicability using reality checks. It also provides a comprehensive list of best practices in Identity Management.

Chapter 13: Secure Service ProvisioningDesign Strategies and Best Practices

This chapter begins with a high-level discussion of business challenges, the scope of Service Provisioning, and the relationship of Service Provisioning to Identity Management. Then it details the process for user account provisioning and discusses various architecture and application scenarios. It presents a security pattern that applies to user account provisioning and illustrates implementation strategies and the results of using the pattern. Then it highlights security factors and associated risks involved with using the pattern and verify pattern applicability using reality checks. This chapter also introduces SPML and its relevance in Service Provisioning. Finally, the chapter provides a comprehensive list of best practices for Service Provisioning.

Part VI: Putting It All Together

Part VI presents a case study that illustrates a real-world security implementation scenario and describes how to put the security design process to work using the patterns and best practices.

Chapter 14: Building an End-to-End Security ArchitectureCase Study

This chapter uses a real-world example of a Web portal that shows how to define and implement an end-to-end security solution using the security design methodology, design patterns, and best practices introduced in this book. The chapter walks through the security design process, illustrating how to analyze and identify risks, how to balance trade-offs, how to identify and apply security patterns, and how to perform factor analysis, tier analysis, threat profiling, and reality checks. The chapter also provides details about how to adopt a patterns-driven security design process, the pertinent do's and don'ts, and describes how to align security in different logical tiers together to deliver end-to-end security.

Part VII: Personal Identification Using Smart Cards and Biometrics

Part VII provides in-depth coverage on Personal Identification using Smart Cards and Biometrics. It delves into the enabling technologies, architecture, implementation strategies of using Smart Cards, Biometrics and combination of both.

Chapter 15: Secure Personal Identification Using Smart Cards and Biometrics

This chapter explores the concepts, technologies, architectural strategies, and best practices for implementing secure Personal Identification and authentication using Smart Cards and Biometrics. The chapter begins with a discussion of the importance of converging physical and logical access control and the role of using Smart Cards and Biometrics in Personal Identification. This chapter illustrates the architecture and implementation strategies for enabling Smart Cards and Biometrics-based authentication in J2EEbased enterprise applications, UNIX, and Windows environments as well as how to combine these in multifactor authentication. Finally, the chapter provides a comprehensive list of best practices for using Smart Cards and Biometrics in secure Personal Identification.




Core Security Patterns. Best Practices and Strategies for J2EE, Web Services, and Identity Management
Core Security Patterns: Best Practices and Strategies for J2EE, Web Services, and Identity Management
ISBN: 0131463071
EAN: 2147483647
Year: 2005
Pages: 204

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net