Approach Used in This Guide

Secure Your Network, Host, and Application

Security must be addressed at three levels: network, host, and application. A weakness at any layer can be exploited by an attacker. This guide takes a holistic approach to application security and applies it at all three levels. The holistic approach to security is shown in Figure 4.

Figure 4: A holistic approach to security

Figure 4 shows the multiple layers covered by the guide, including the network, host, and application. The host layer covers the operating system, platform services and components, and run-time services and components. Platform services and components include SQL Server and Enterprise Services. Run-time services and components include ASP.NET and .NET code access security among others.

Focus on Threats

Your application's security measures can become useless, or even counter productive, if those measures are applied without knowing the threats that the security measures are designed to mitigate.

Threats can be external, such as attacker on the Internet, or internal, for example, a disgruntled employee or administrator. This guide helps you identify threats in two ways:

• It enumerates the top threats that affect Web applications at the network, host, and application levels.

• It helps you to identify which threats are relevant to your application through a process called threat modeling.

Follow a Principle-Based Approach

Recommendations used throughout this guide are based on security principles that have proven themselves over time. The analysis and consideration of threats prior to product implementation or deployment lends itself to a principle-based approach where core principles can be applied, regardless of implementation technology or application scenario.