Java Reference
In-Depth Information
5.3.1.2 Regulatory and Compliance
Regulatory and compliance requirements have emerged as one of the key drivers of security for
several organizations all over the world. Regulatory security objectives today, particularly for Web
applications, have been greatly driven by compliance requirements such as the PCI-DSS or the
HIPAA. Legal requirements are also a major force in the formulation of security objectives for a
Web application. Sarbanes-Oxley, popularly known as SOX, requires that the internal controls
around systems that are used to produce the inancial statements of a publicly listed company be
capable of ensuring that data cannot be tampered with. he California Security Breach Information
Act requires maintenance of the privacy of personal information stored by organizations in their
systems. he act mandates that, in case of any breach of unencrypted personal information, each
afected party must be notiied. We will discuss the diferent types of security compliance require-
ments and their efects on application security in the next section of this chapter.
5.3.1.3 Contractual Obligations
Organizations have gradually begun to realize the importance of security in Web applications.
Organizations developing Web applications for their clients, in several cases, have contractual
obligations to build security into the application from the beginning. Organizations building
software for banks and other large corporations have several clauses in their customer contracts
to build security into the Web application. he parent organizations usually insist on third-party
code reviews and vulnerability assessments to ensure that the application being deployed is secure
enough to be deployed in their environments, where a large amount of sensitive information is
being transacted. In some other cases, customer organizations contractually bind the software
development organization to follow security compliance standards like the PCI-DSS, thereby
ensuring that security requirements are incorporated into the application right from the outset.
5.3.1.4 Reputation and Goodwill
Reputational loss is perhaps the greatest loss an organization sufers in a security breach. Warren
Bufet's take on organizational reputation is as follows: “It takes 20 years to build a reputation and
ive minutes to ruin it. If you think about that, you will do things diferently.” Security policies
for a Web application are greatly inluenced by the reputation of the organization and the conse-
quences on the reputation and organizational goodwill in case of a data breach.
5.3.2 Security Compliance and Web Application Security
Compliance and regulatory requirements have become an integral aspect of doing business.
Governmental and other statutory bodies have introduced mandatory compliance standards and
requirements for every industry. Security, compliance, and regulatory requirements have been put
forth by governing bodies and apex institutions, the world over, owing to the several incidents that
have caused a great deal of loss and embarrassment to the industry at large. Let us explore some of
the signiicant compliance and regulatory requirements that inluence the compliance and regula-
tory implementation for the industries:
◾
PCI-DSS—Payment Card Industry Data Security Standard
◾
PA-DSS—Payment Application Data Security Standard
Search WWH ::
Custom Search