Java Reference
In-Depth Information
5.2.4 Understanding Basic Application Architecture
Understanding the application's architecture is an important step in the system characterization
phase. Interfaces between diferent systems are usually commonplace with a Web application. Any
Web application has, as external interfaces, connectivity to a database or a ile server. In some
cases, Web applications also interact with other enterprise applications such as email and messag-
ing applications. While incorporating security into the Web application, a simple deployment dia-
gram of the Web application and its subsystems and interfaces needs to be created. As the security
functionality and capability is formulated, speciic details relating to security implementation like
authentication and authorization, encryption, and logging need to be included into the application
deployment architecture.
he information captured in a basic application architecture diagram for the purpose of risk
assessment is the following:
◾
Deployment topology
◾
System interfaces
5.2.4.1 Deployment Topology
Risk assessment is made more efective with the understanding of the network topology in which
the application will be deployed. Network diagrams are most efective in understanding the logi-
cal environment under which the application will be deployed. Network diagrams should be cre-
ated to include the layout of servers, network components, and the logical segments that exist as
part of the network. Network connectivity into and out of the network needs to be highlighted
to provide adequate clarity on connectivity to the Internet or intranet. An understanding of the
network security controls implemented by the organization will also help a great deal while devel-
oping security requirements for the Web application. Firewall coniguration and router conigu-
rations may also be considered during the deployment process. For instance, if an organization's
perimeter irewalls expressly disallow network traic on a particular port owing to its nonsecure
condition, then the application architects might be able to avert unnecessary coniguration time
and possible vulnerabilities by developing the application to work on diferent ports.
5.2.4.2 System Interfaces
Web applications interact with other systems or services as part of their operating environment.
Web applications most commonly interface with databases for the insertion, updating, and dele-
tion of data. Apart from databases, present-day Web applications also interact extensively with
email and messaging applications for sending and receiving messages, which might form outputs
or inputs for the Web application. With respect to e-commerce Web applications, one of the key
interfaces for a Web application is with a payment gateway, where the Web application sends credit
card or banking information to be authorized and receives information about the approval/denial
status of the transaction. Web applications also commonly interact with a ile server for ile-based
operations such as facilitating downloads of iles and writing iles into the said servers. he most
common interface of a Web application is the one where the user accesses the application through
the browser. his interface is usually the most public of the interfaces for a Web application.
Understanding system interfaces is vital to the risk assessment, because exchange of critical infor-
mation assets of the application takes place through these interfaces. Our focus is to understand
Search WWH ::
Custom Search