We are moving from our application from Client Server(Visual Basic) to JavaJ2EE. We had for long been advising the management on this. Finally they accepted because they want the customers to get supported through the web. Ours is a privately held company and are very strict on budget. How do you convince the management to allocate more budget to hire good resources for implementing sound Web security framework and good practices. Does your book cover any of these from a management perspective?
Zafar, Justifying the need for good developers and a solid security framework to management is often hard. It is like selling insurance, you don't need it unless something goes wrong. The best approach is to do a thorough risk analysis and spell out the liability to the company if the application is compromised. Your management then needs to make a business decision as to how much to invest in security based on the liability. By stating quantitatively the risks and liability, you have put the responsibility on your management officially. Most managers who are cognizant of the risks and the fact that it is their responsibility, will take the appropriate measures.