Java Reference
In-Depth Information
Figure 3.4
Cross-site scripting attack prevented by Mozilla add-on noScript.
Figure 3.5
Cross-site scripting attack prevented by XSS ilter in Internet explorer.
3.4.2 Pangs of the Creator
We have already discussed network and host security. he typical scenario in securing the net-
work or securing the operating system is that the organization creating the network device or the
operating system is responsible for ensuring that bugs and security vulnerabilities are ixed and
that upon application of these ixes, popularly known as
patches
or
service packs
, the device or the
system is not vulnerable to a particular threat. Organizations creating routers, irewalls, operating
systems, or any other network device also provide myriad materials to help secure the said devices
from threats, which are ubiquitous with a networked environment. he above situation is a stark
contrast with the Web application security scenario. In the case of Web application security, the
organization developing the Web application is responsible for the security of the application. he
creator, in most cases, is the organization itself or its outsourcing partner. In the latter case, the
security of the application is entirely the responsibility of the organization. As one is dealing with
custom code, there can be no patches/service packs, no bug ixes, which are rolled out by a plat-
form or device vendor, and the entire burden of incorporating security into the application rests
on the organization developing the Web application.
3.4.3 Flawed Application Development Life Cycle
he Application Development Life Cycle or the Software Development Life Cycle, popularly
referred to as the
SDLC
,
is perhaps the most important aspect of secure application develop-
ment. Applications that are secure by design tend to take into account security requirements at
the outset and incorporate security implementations during the design of the application, which
subsequently translates to code and inally results in a secure application.
he great challenge for organizations today is to get the security part of the SDLC right. An SDLC
is typically the development life cycle, which takes into account the stages of an application right from
its inception till it has been deployed and must be maintained. Figure 3.6 provides a graphical repre-
sentation of a typical SDLC. In a typical SDLC, one would see the following basic phases:
Search WWH ::
Custom Search