Java Reference
In-Depth Information
application security in this chapter. As a precursor to this, it is important that we understand orga-
nizational information security practices and then explore the need for Web application security,
considering an organization's information security posture.
3.2.1 A Glimpse into Organizational Information Security
he organization is a multi-celled mechanism with several departments. Large or small, any orga-
nization has several functions that need to be called into play in its operations. Earlier, organi-
zations were brick-and-mortar
in nature. he modern organization has metamorphosed into a
security-aware entity. Today's organizations have evolved into computerized entities. hey now
operate with several Web applications, legacy applications, and repositories of data. he data in
these organizations are stored in several forms, across geographical locations. Adverse security
incidents have inluenced organizations all over the world, for which they have formulated appro-
priate security strategies to help keep their data safe. As a part of information security, we have
already explored the concept of defense-in-depth. Let us now look at the organizational informa-
tion security perspective. It consists of the following:
◾
Network security
Physical security
◾
◾
Application security
Host security
◾
Figure 3.2 gives an indication of organizational information security practices and the concept
of defense-in-depth.
3.2.1.1 Physical Security
he irst aspect of organizational security is physical security. It is the protection strategy and
implementation by an organization to protect against physical threats. For instance, a bank
would be equipped with security guards at the perimeter and closed-circuit cameras operating
at various locations inside and outside the bank. he bank would probably also be equipped
with access control cards and biometric devices to ensure that only authorized individuals can
access sensitive areas like the datacenter or the vault. he bank would naturally want to ensure
that it is protected from physical threats like burglars, terrorists, and other antisocial elements.
Physical security has matured over time, and most organizations that require a strong physical
security program usually have a mature physical security program in place.
3.2.1.2 Network Security
Until the early 2000s, network security and host security were major concerns for several organiza-
tions. Networks were extremely vulnerable to attacks, and there were several instances of network
breaches, which regularly plagued organizations. Although the current state of networks is not
invulnerable to attacks and incidents, network security has matured a great deal over the years.
Devices like irewalls and intrusion prevention systems (IPS) have become standard deployments
for small and large organizations. In fact, these devices have become so popular that several home
networking devices like routers come equipped with irewall functionality. hese devices have
several intelligent features built into the device. For instance, devices such as stateful inspection
Search WWH ::
Custom Search