Strategies for Building Robust Security

Previous page
Table of content
Next page

The four W's of security help us define the outline of what end-to-end security may entail. End-to-end security requires a proactive approachthe essential security strategies and decisions for the application must be made and adopted during the design and architecture phases, not at the time of deployment. Security by default mechanisms must be implemented by using a structured methodology, patterns-driven design, adoption of best practices, risk verification through reality checks, and proactive assessment of deployment architecture. The robustness of security also needs to be enhanced by using defensive strategies, security profiling, and security recovery and continuity strategies.

Let's take a look at some of the concepts and strategies that contribute to building robust security architecture and design.

Unified Process for Security Design

Unified Process (UP) is the de facto standard for the software application development process. It addresses all disciplines of the application development life cyclefrom requirements gathering to deployment. In addition, it provides a set of supporting disciplines such as configuration management, project management, environment, operations, and support. However, it does not have specific guidelines for security. It would be extremely useful if security design principles were incorporated as a discipline in the UP-based application development life cycle. Chapter 8, "The Alchemy of Security DesignMethodology, Patterns, and Reality Checks," introduces such a UP-based security design methodology.

Design Patterns

A design pattern is a reusable solution to a recurring design problem. Design patterns are usually considered successful solution strategies and best practices for resolving common software design problems. In a typical security solution, they allow application-level security design with reusable security components and frameworks. In a typical security design scenario, patterns help architects and developers to communicate security knowledge, to define a new design paradigm or architectural style, and to identify risks that have traditionally been identified only by prototyping or experience.

Best Practices

Best practices are selected principles and guidelines derived from real-world experience that have been identified by industry experts as applicable practices. They are considered exceptionally well-suited to contributing to the improvement of design and implementation techniques. They are also promoted for adoption in the performance of a process or an activity within a process. They are usually represented as do's and don'ts.

Reality Checks

Reality checks are a collection of review items used to identify specific application behavior. They assist in the analysis of whether the applied design principles are practicable, feasible, and effective under all required circumstances. There are many grand design principles and theories in the application security area, but some of them may not be practical. Reality checks can help identify alternatives that have fewer penalties but achieve the same goals.

Proactive Assessment

Proactive assessment is a process of using existing security knowledge and experience and then applying it in order to prevent the same problems from recurring. It also predicts what is likely to occur if preventive measures are not implemented.

Profiling

A complementary strategy to proactive assessment is security profiling and optimization. Using featured tools, it helps in identifying risks and vulnerabilities and in verifying mandated regulatory or compliance requirements on an ongoing basis. These tools execute a set of scripts that detect existing vulnerabilities and mitigate risks by means of required changes or patches.

Defensive Strategies

Defensive strategies are a set of proactive and reactive actions that thwart security breaches. They are usually represented by a plan of action that helps to identify and restrict a security violation earlywhile it is still at a low level. These strategies should present explicit instructions for their use and should also present instructions for use when a low-level breach is missed and the attack has progressed to a higher level.

Recovery and Continuity Strategies

Despite the presence of proactive assessment and defensive strategies, there are still unknown security issues that one may encounter. These can cause serious application failures and service shutdown. It is therefore important to have a recovery and continuity plan for those services that support recovery and business continuity. A comprehensive recovery and continuity plan can reduce operational risks by reducing downtime.



Previous page
Table of content
Next page
Core Security Patterns. Best Practices and Strategies for J2EE, Web Services, and Identity Management
Core Security Patterns: Best Practices and Strategies for J2EE, Web Services, and Identity Management
ISBN: 0131463071
EAN: 2147483647
Year: 2005
Pages: 204
Authors: Christopher Steel, Ramesh Nagappan, Ray Lai
BUY ON AMAZON
Project Management JumpStart
CompTIA Project+ Study Guide: Exam PK0-003
Service-Oriented Architecture (SOA): Concepts, Technology, and Design
Mapping Hacks: Tips & Tools for Electronic Cartography
Wireless Hacks: Tips & Tools for Building, Extending, and Securing Your Network
Lean Six Sigma for Service : How to Use Lean Speed and Six Sigma Quality to Improve Services and Transactions
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy