Application Design

Previous page
Table of content
Next page
[Previous] [Next]

This section deals with pure application design rather than the design of security solutions. The information here is intended to round out the process of designing and developing Web applications and to help you build better, more robust, and cheaper Web applications.

First, all applications—Web or otherwise—should be designed initially with no technology in mind. Too often, designers have a tool or technology they like and they limit themselves to looking for problems that can be solved with that tool. This is an easy trap to fall into, especially if you're a technical person. When you know how to use a tool well, you use it. But many applications have been designed with the wrong tool for the job, because that was the only tool known to the company. Typically, this greatly increases cost because the application developed must be either abandoned later or adjusted to accommodate the correct technology for the task.

A good application design pattern comprises three phases, as illustrated in Figure 2-2. In the first phase, called the business model, you determine your business requirements (including security requirements and risk/threat analysis) and information requirements. At this stage, you're concentrating on business needs, not theorizing an application to meet those needs. In the next phase, the logical model, you begin to look at how an application called for by the details in the business model might be designed. At this point, you're working out the capabilities of the application without considering the technologies you'll use to build the application. Finally, in the physical model phase, you choose the technologies you'll use to build the application and you build it. This framework is in accord with many large-scale design methods, including the Microsoft Solutions Framework.

Figure 2-2. The process involved in building any application.

Note from Figure 2-2 that the logical and physical models are iterative. This is because you learn a great deal at each stage, invalidate previous assumptions, and address issues with fresh ideas. By repeating your analysis at these stages, you can save a good bit of money and time and prevent a number of headaches. It's much cheaper to fix problems and handle "unknowns" during the logical design model phase or even during the physical model's design phase than it is to patch mistakes while developing code, which is very expensive.

Also, note that the physical model should ultimately lead you back to consideration of your business model; this is because any technology introduced into a business changes that business's environment. Consider a bank that historically has performed standard "brick and mortar" banking functions that decides to create a Web site to handle online account balances, allow for bills to be paid on line, and so on. Once the Web site is completed, the bank's business environment changes radically—for example, the competition might adopt strategies to counter the new Web site, and bank clerks might have time to perform other tasks.

Threats and Business Requirements

Security threats are a special form of business requirement, but, unlike business requirements, they tend to be overlooked. Remember this: failure to incorporate solutions for security threats within the application is a failure just like shipping a pilot program three months late.

Take a look at Figure 2-3 to see how the application design model and the security design process I discussed earlier in this chapter interrelate.

click to view at full size.

Figure 2-3. The security design process mapped to the application design process.

As you can see, determination of business and product requirements, determination of information requirements, threat and risk analysis, and application of security policy all fall within the business model phase. All of these steps take place prior to consideration of how to design an application, which takes place during the logical model phase. Step 1 of the security technology phase—that is, the mapping of possible countermeasures to the threats you'll address—makes up the logical model. Step 2 of the security technology phase—the mapping of specific technologies to countermeasures—and the security services phase make up the physical model of the application design process.

Enough theory! Let's look at an example to illustrate how to develop a secure application.


Previous page
Table of content
Next page
Designing Secure Web-Based Applications for Microsoft Windows 2000 with CDROM
Designing Secure Web-Based Applications for Microsoft Windows 2000 with CDROM
ISBN: N/A
EAN: N/A
Year: 1999
Pages: 138
BUY ON AMAZON
Visual C# 2005 How to Program (2nd Edition)
C & Data Structures (Charles River Media Computer Engineering)
Cisco CallManager Fundamentals (2nd Edition)
Wireless Hacks: Tips & Tools for Building, Extending, and Securing Your Network
File System Forensic Analysis
Microsoft Office Visio 2007 Step by Step (Step By Step (Microsoft))
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy