Flylib.com

Books Software

 
 
 

Category list


Similar pages

Core Security Patterns: Best Practices and Strategies for J2EE, Web Services, and Identity Management - page 34


Buy on amazon.com >>
Steel Ch. Nagappan R. Lai R
    << Previous page
    Table of contents
    Next page >>

    Summary

    Security has taken unprecedented importance in many industries today, and every organization must adopt proactive security measures for data, processes, and resources throughout the information life cycle. Thus, an organization must have a thorough understanding of the business challenges related to security, critical security threats, exploits, and how to mitigate risk and implement safeguards and countermeasures. Adopting security by using proactive approaches becomes essential to organizational health and well-being. Such approaches may well also increase operational efficiency and cost effectiveness.

    In this chapter, we have had an overview of security strategies and key technologies as well as the importance of delivering end-to-end security to an IT system. In particular, we discussed the key constituents that contributes to achieving "Security-by-Default," such as:

    • Understanding the weakest links in an IT ecosystem

    • Understanding the boundaries of end-to-end security

    • Understanding the impact of application security

    • Strategies for building robust security architecture

    • Understanding the importance of security compliance

    • Understanding the importance of identity management

    • Understanding the importance of secure personal identification

    • Understanding the importance of Java technology

    • How to justify security as a business enabler

    We've just looked at the importance of proactive security approaches and strategies. Now we'll start our detailed journey with a closer look at key security technologies. Then we'll look at how to achieve Security by Default by adopting radical approaches based on well-defined security design methodology, pattern catalogs, best practices, and reality checks.



    References

    [1798] California Office of Privacy Protection. "Notice of Security BreachCivil Code Sections 1798-29, 1798-82 and 1798-84." http://www.privacy.ca.gov/code/cc1798.291798.82.htm

    [ACLFailure] Open Web Application Security Project. "A2. Broken Access Control." http://www.owasp.org/documentation/topten/a2.html

    [AMNews] Security Breach: Hacker Gets Medical Records http://www.ama-assn.org/amednews/2001/01/29/tesa0129.htm

    [BrokenAuth] The Open Web Application Security Project. "A3. Broken Authentication and Session Management." http://www.owasp.org/documentation/topten/a3.html

    [CanadaPrivacy] Department of Justice , Canada. "Privacy ActChapter P-21." http://laws.justice.gc.ca/en/P-21/94799.html

    [Caslon] Caslon Analytics. Caslon Analytics Privacy Guide . http://www.caslon.com.au/privacyguide6.htm

    [CBEFF] Common Biometric Exchange File Format. http://www.itl.nist.gov/div895/isis/bc/cbeff/.

    [CNET] Matt Hines. "Gartner: Phishing on the Rise." http://news.com.com/2100-7349_3-5234155.html

    [ComputerWeek134554] "IBM Offers Companies Monthly Security Report." http://www.computerweekly.com/Article134554.htm

    [COPPA] Children Online Privacy Protection Act. http://www.ftc.gov/os/1999/10/64fr59888.htm

    [CSI2003] Robert Richardson. 2003 CSI / FBI Computer Crime and Security Survey . Computer Security Institute, 2003. http://www.gocsi.cpactourom/forms/fbi/pdf.jhtml

    [CSI2004] Lawrence A. Gordon, Martin P. Loeb, William Lucyshyn, and Robert Richardson. "2004 CSI / FBI Computer Crime and Security Survey." Computer Security Institute, 2004. http://www.gocsi.com

    [CSO Online] Richard Mogul. "Danger WithinProtecting Your Company from Internal Security Attacks (Gartner Report)." http://www.csoonline.com/analyst/report400.html

    [DataMon2003] Datamonitor. "Financial Sector Opts for J2EE." The Register, June 4, 2003. http://theregister.com/content/53/31021.html

    [DOS] The Open Web Application Security Project. "A9. Denial of Service." http://www.owasp.org/documentation/topten/a9.html

    [EU95] European Parliament. Data Protection Directive 95/46/EC . October 24, 1995. http://europa.eu.int/comm/internal_market/privacy/index_en.htm

    [ExpressComputer] Identity Management Market at Crossroads. April 19, 2004. http://www.expresscomputeronline.com/20040419/securespace01.shtml

    [FTC] Gramm-Leach-Bliley Act. Federal Trade Commission. http://www.ftc.gov/privacy/glbact/glbsub1.htm

    [FTC findings] FTC Releases Survey of Identity Theft. http://www.ftc.gov/opa/2003/09/idtheft.htm

    [Gartner Reports] Security reports from Gartner at: http://www.gartner.com/security

    [GrammLeach1] Federal Trade Commission. "Gramm-Leach-Bliley Act." 1999. http://www.ftc.gov/privacy/glbact/glbsub1.htm

    [GrammLeach2] US Senate Committee on Banking, Housing, and Urban Affairs. "Information Regarding the Gramm-Leach-Bliley Act of 1999." http://banking.senate.gov/conf/

    [Hewitt] Tim Hilgenberg and John A. Hansen. "Building a Highly Robust, Secure Web Services Conference Architecture to Process 4 Million Transactions per Day." IBM developerWorks Live! 2002.

    [HIPPA] Achieving HIPPA Compliance with Identity Management from Sun. http://www.sun.com/software/products/identity/wp_HIPPA_identity_mgmt.pdf

    [ImproperDataHandling] The Open Web Application Security Project. "A7. Improper Data Handling." http://www.owasp.org/documentation/topten/a7.html

    [InputValidation] Security Tracker. "Lotus Notes/Domino Square Bracket Encoding failure Lets Remote Users Conduct Cross-site Scripting Attacks." http://securitytracker.com/alerts/2004/Oct/1011779.html

    [InjectionFlaw] Secunia. "Multiple Browsers Window Injection Vulnerability Test." http://secunia.com/multiple_browsers_window_injection_vulnerability_test/

    [InsecureConfig] The Open Web Application Security Project. "A10. Insecure Configuration Management." http://www.owasp.org/documentation/topten/a10.html

    [KMPG] KMPG. "Comparison of U.S. and Canadian Regulatory Changes." http://www.kpmg.ca/en/services/audit/documents/USCDNRegulatory.pdf

    [Krawczyk] Pawel Krawczyk. "Practical Demonstration of the MSIE6 Certificate Path Vulnerability." IPSec.pl http://www.ipsec.pl/msiemitm/msiemitm.en.php

    [Lai] Ray Lai. J2EE Platform Web Services . Prentice Hall, 2003.

    [LiGong] Li Gong. "Java Security Architecture." in "Java 2 SDK, Standard Edition Documentation Version 1.4.2." Sun Microsystems, 2003. http://java.sun.com/j2se/1.4.2/docs/guide/security/spec/security-spec.doc1.html and http://java.sun.com/j2se/1.4.2/docs/guide/security/spec/security-spec.doc2.html.

    [McLeanBrown] Greg McLean and Jason Brown. "Determining the ROI in IT Security." April 2003. http://www.cica.ca/index.cfm/ci_id/14138/la_id/1.htm

    [Online-Kasino] Online Kasinos Info. http://www.onlinekasinos. info /

    [PasswordExploit] Esther Shein, editor. "Worm Targets Network Shares with Weak Passwords." eSecurityPlanet.com. http://www.esecurityplanet.com/alerts/article.php/3298791

    [PHP3_errorLog] Security Advisory. "FreeBSD: 'PHP' Ports Vulnerability." LinuxSecurity.com. November 20, 2000. http://www.linuxsecurity.com/content/view/102698/103/

    [PICC] IDC. "People's Insurance Company of China: eBusiness Portal Attracts New Customers and Reduces Costs." IDC eBusiness Case Study. http://www.sun.com/service/about/success/recent/PICC_English_IDC.pdf

    [SDTimes057] Alan Zeichick. ".NET Advancing Quickly on J2EE, but Research Shows Java Maintains Strong Position." SD Times . July 1, 2002. http://www.sdtimes.com/news/057/story7.htm

    [SessionHijack] Kevin Lam, David LeBlanc, and Ben Smith. "Theft on the Web: Prevent Session Hijacking." Microsoft TechNet Magazine . Winter 2005. http://www.microsoft.com/technet/technetmag/issues/2005/01/sessionhijacking/default.aspx

    [SOX1] U.S. Congress. Sarbanes-Oxley Act. H.R. 3763 . July 30, 2002. http://www.law.uc.edu/CCL/SOact/soact.pdf

    [SOX2] "The Role of Identity Management in Sarbanes-Oxley Compliance." http://www.sun.com/software/products/identity/wp_identity_mgmt_sarbanes_oxley.pdf

    [SQLInjection] Shawna McAlearney. "Automated SQL Injection: What Your Enterprise Needs to Know." SearchSecurity.com. July 26, 2004. http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci995325,00.html

    [XCBF] OASIS XCBF Technical Committee Web Site. http://www.oasis-open.org/ committees /tc_home.php?wg_abbrev=xcbf

    [XSiteScript] The Open Web Application Security Project. "A4. Cross-Site (XSS) Flaws." http://www.owasp.org/documentation/topten/a4.html



    Buy on amazon.com >>
    Steel Ch. Nagappan R. Lai R
      << Previous page
      Table of contents
      Next page >>

      Similar products

      Similar products

       
      flylib.com © Copyright 2008-2013. All Rights Reserved.
      if you may any questions please contact us: flylib@qtcs.net
      Privacy policy