Java Reference
In-Depth Information
involved—architects, developers, application support staf, and other stakeholders are clear with
the security requirements that are necessary to protect the Web application from a multitude of
threats that are prevalent both inside and outside the organization.
Risk management leverages the organization's knowledge of the business process or the critical
information asset to provide a comprehensive view of risks that might manifest in the application.
For instance, an e-commerce merchant would have individuals who are very knowledgeable about
the e-commerce business and would provide comprehensive insights to the threats and vulner-
abilities that might exist for their critical information assets. Let us explore how risk manage-
ment increases the clarity for protection strategies among diferent stakeholders involved in the
Application Development Life Cycle:
◾
protection strategies to be deployed for an application. Management/application owners are
the key drivers for the development of the application, and they are its greatest beneiciaries.
An application becomes critical for the management, when it inluences the inancial, repu-
tational, or operational well-being of the organization. he risk management process aims at
throwing much-needed light on the myriad threats and vulnerabilities that might manifest
in the application and have far-reaching adverse consequences for an organization's inances,
reputation, or operational eiciency if breached. For instance, if an e-commerce application is
breached, then this will afect not only the inancial well-being of the e-commerce merchant but
also the reputational and operational eiciency of the organization. When the management/
application owners are sensitized to this fact and are clear of the road ahead, security, as part of
the Application Development Life Cycle, gets a welcome impetus in the right direction.
here is a nice quote on software development, which seems appropriate while exploring how
It is very important that management/application owners be clear on the threats and possible
◾
risk management provides clarity for developers and application architects:
Walking on water
and developing software from a speciication are easy if both are frozen
.
*
Some would say that
living up to this quote is utopian. Speciications for an application are seldom frozen before
development actually takes place. Security is one of the greatest victims in such situations,
because organizations usually do not take security requirements into account at the outset.
When there is a realization on the requirement for security, the application is usually in an
advanced stage of development and retroitting the security into the application is clumsy
and awkward. In some cases, this kind of scenario causes more damage to the application.
Architects, in particular, and developers of the Web applications would greatly beneit from
the risk management process, as there is a great emphasis given to identiication of risks and
protection strategies to be built into the application at the beginning of the Web application
development life cycle. An efective risk assessment would ensure that the security require-
ments provided to the developers are a comprehensive set of requirements that would be
built into the application right from its inception.
Testing is an integral part of the Application Development Life Cycle. Although functional
◾
testing and stress testing are commonplace in any application development, testing for secu-
rity has recently occupied a very important place in the life cycle of a Web application devel-
opment. Testing for security of Web applications is a specialized science that requires the
testing professional to utilize both manual and automated methods to check for common
Web application vulnerabilities. he clarity for testing is greatly achieved as specs for testing
*
his famous programming quotation is the creation of Edward V. Berard. his is available at http://turulcsirip.
hu/perma/448371362.
Search WWH ::
Custom Search