Topics in This Chapter
In today's world, everyone relies on information from a variety of sources and tends to depend on its accuracy and reliability in making their own business decisions. The rapid adoption of computing systems and network technologies in critical businesses and industry sectors has brought newer threats and risks such as service interruptions, unauthorized access, stealing and altering of information, impersonation, the spreading of viruses, and so on. This heightens the importance of security and presents every business and organization with the ethical and legal responsibility to properly secure its information by using appropriate measures and processes. Enforcing security at all levels ensures that information is processed, stored, or transmitted with reliability and that it is available to all authorized entities. The unfortunate reality, however, is that security today is often considered as a post-deployment event at the end of the development phase or as an after-the-fact reactive action when something goes wrong. While most businesses and organizations recognize the importance of information security, it is alarming to note that very few have implemented strategies and processes to proactively identify and counter the myriad risks they face. Adopting security in a reactive and risk-averse way often results in businesses and organizations suffering huge financial losses and losing customer confidence. For instance, according to a recent FBI/Computer Security Institute survey (refer to [CSI2003] and [CSI2004] for details), the financial loss worldwide as a result of malicious code attacks was about $455.8 million in 2002, $201 million in 2003, and $141 million in 2004. In 2003, denial-of-service attacks were the source of a $65 million loss, and the theft of proprietary information averaged $2.7 million per incident. With the number of cyber crimes constantly increasing, the cost of security attacks can be highly damaging to both businesses and their customers. The most troubling problem is that most business applications and services are not designed for security and are deployed without eliminating their inherent risks. Architects and developers have chosen to adopt a physical security solution during deployment and have then used a reactive approach for handling post-deployment security issues. In some organizations, there is a huge cognitive disconnect between the importance of information security and its alignment with their key business objectives. This cognitive disconnect seriously affects actual business security, because security is not seen as a business enabler until the potential losses due to threats and vulnerabilities are understoodusually by an actual financial loss. Every business and organization must understand the critical importance of information security. Then it must adopt a proactive and holistic approach that can help it reduce and manage the risks associated with network applications and services throughout the business cycle. In simpler terms, it is critically important to understand what security represents to us and to know the challenges that are involved in building robust security into a business service. Those common challenges include answering the following questions:
This book introduces a radical approach called Security by Default that delivers robust security architecture from the ground up and proactively assists in implementing appropriate countermeasures and safeguards. This approach adopts security as a key component of the software development life cyclefrom design and development through post-production operations. It is based on a structured security design methodology, is pattern-driven, and adopts industry best practices that help security architects and developers identify situations of what, why, when, where and how to evolve and apply end-to-end security measures during the application design process as well as in the production or operations environment. This chapter discusses current business challenges, the weakest links in security, and critical application flaws and exploits. Then it introduces the basic concepts behind Security by Default and addresses the importance of a security design process methodology, pattern-driven security development, best practices, and reality checks. Because this book focuses on Java platform-based applications and services, this chapter introduces an overview of the Java platform security. It also highlights the importance of identity management and other emerging security technologies. Finally, it discusses how to make a case for security as a business enabler and reviews the potential benefits brought by approaching security in this way. |