Java Reference
In-Depth Information
the low of information in the application, which can be achieved by studying the data interchange
between the interfaces. Knowledge of the information interchange between these interfaces can
be used to gain an insight into the level of trust that one can have over data exchanged over these
interfaces. Based on the level of trust, risks may be kept in mind for which security functionality
is created subsequently. For instance, one of the interfaces of a Web application is the user inter-
face, and it must be kept in mind that users may be genuine users and malicious users. Keeping
in mind that users may be malicious, the trust level for the data entered by users would naturally
be low, and security functionality may be formulated keeping in mind the low trust level for the
data interchanged from the user interface. Security functionality for the interaction between these
interfacing elements may be designed keeping in mind the criticality of the data being transmitted
and the level of trust that can be expected from the data emanating or being transmitted to these
interfacing systems.
5.3 Developing Security Policies for the Web Application
5.3.1 A Broad Overview of Security Policies for the Web Application
Security policies for a Web application are like management directives for the entire organization.
hey are instrumental in deining the essential security features into the application and form
the foundations for a secure Web application. Application owners, management, and customers
are instrumental in drawing up the security-related expectations from the Web applications. his
exercise is best performed when the business leadership stakeholders identify and develop the secu-
rity objectives in collaboration with the application architects and developers. Security policies are
developed on the basis of certain key parameters, which may be used as the benchmarks for the
security controls to be implemented for the Web application. Some of them are listed below:
Financial risk and impact
Regulatory and compliance
Contractual obligations
Reputation and organizational goodwill
5.3.1.1 Financial Risk and Impact
Financial risk and impact is a key policy consideration for a Web application. he risk of inancial
loss has a great bearing on the security policies and, subsequently, the security functionalities of
the Web application. he risk of inancial loss should ideally be in direct proportion to the level
of security being provided for a Web application handling sensitive information. For instance, a
software development forum type of Web application will have a lower risk of inancial loss, as
compared to an Internet banking Web application. If an Internet banking application is breached,
then the inancial loss that might occur may warrant a much higher level of security controls to be
implemented for the Web application. It is important that the inancial ramiications of an orga-
nization, based on the application, are clearly understood. he inancial efects of a data breach
need to be assessed while formulating security policies and, subsequently, security requirements
for the Web application.
Search WWH ::




Custom Search