Security Defined

Security involves the protection of assets, where assets are defined as anything with value. This is an important issue that we'll come back to in more detail in Chapter 2, "A Process for Building Secure Web Applications"—if something has no value, it's probably not worth the cost and effort of securing it.

Some assets are tangible and have a monetary value, and others are intangible but still valuable. For example, it's easy to see why you should defend a tangible asset, such as inventory, that everybody agrees is "worth something." But it's also important to realize that certain intangibles, such as the reputation associated with your company's name, are also important. Below are some examples of assets:

• Business plans
• Chattels (possessions)
• Confidential source code
• Private cryptographic keys
• Ideas
• Identity
• Money (physical and digital)
• Privacy
• Reputation and name

Intangible assets—such as identity, privacy, and reputation and name—can be very difficult to place a value on. It's easy to place a value on your car or your house, but what is your privacy worth to you? The nature of this kind of question begins to reveal the complexity of our topic. As you'll see, security is a multifaceted discipline that involves determining the value of assets, which assets to protect, how to go about protecting them (that is, what methods to use), and what technologies to use. Obviously, all of this must be tempered with business rationale because deploying security for the sake of using cool technology is a bad idea. The rest of this book addresses many of these concerns.