Win a copy of Testing JavaScript Applications this week in the HTML Pages with CSS and JavaScript forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Bear Bibeault
  • Ron McLeod
  • Jeanne Boyarsky
  • Paul Clapham
Sheriffs:
  • Tim Cooke
  • Liutauras Vilda
  • Junilu Lacar
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • fred rosenberger
  • salvin francis
Bartenders:
  • Piet Souris
  • Frits Walraven
  • Carey Brown

Chapter 8: The Alchemy of Secuity Design

 
Ranch Hand
Posts: 642
Mac
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Ramesh,

I went through the sample chapter.

I like the idea of explaining Security Patterns using the concept of
Security Wheel with Unified Process(UP).

Is Signle Access Point differ then SSO?

I don't understand PEP(Policy Enforcement Point), may be book explains
in more detail.

I don't know what do you mean by SQL Injections?

Secure Pipe pattern seems very usefull for web services security.

Alchemy of security Business Application is good to understand implementation flow.


Description for implementing Security Policy in Check in item is interesting. Actually CheckIn item gives managerial aspect of implementing security.

For testing you suggested open source framework is prferable compare to
propriatory. But you haven't mentioned about any of open source framework can be used for white box testing of security.
[ January 13, 2006: Message edited by: Jignesh Patel ]
 
Author
Posts: 159
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Originally posted by Jignesh Patel:
Hi Jignesh....my comments are inline <RN>,

I went through the sample chapter.

<RN> Thanks for reading through the chapter. As the chapter title speaks..it is all about introducing the reader to a structure design methodology, patterns-driven and best practices based security approaches and how to perform security assessments for Java/J2EE applications</RN>


I like the idea of explaining Security Patterns using the concept of
Security Wheel with Unified Process(UP).


<RN>
The concept of Security Wheel represents the core security principles, which Java architect/developer must consider while designing an application. Some of those principles may not apply...but still it cannot be ignored..you consider them as Trade-offs.
We chose UML and UP, as they are considered as de-facto standard for representing application design models.
We did receive lot of positive feedback about both Security Wheel and Secure UP.
</RN>

Is Signle Access Point differ then SSO?

<RN>
Yes - both are different in terms of scope.
Single Access Point is a security pattern defined by Joseph Yoder and Jerry Barcalow (based on their security patterns research paper). It enforces a single point of access to a business service typically refers to a login page to an application.
SSO is an ability of an user to log in once to multiple applications that would ordinarily require their own separate logins. It allows an user to access disparate resources that can be accessed via centralized interface or portal. This is accomplished via creating an unique security token during authentication which is trusted by participating applications.. all subsequent requests are presented using the security token so that the user gains consistent user experience by doing single login access to multiple applications...all without reauthentication.
</RN>


I don't understand PEP(Policy Enforcement Point), may be book explains
in more detail.

<RN>
The policy enforcement point is a security entry point where all security functions are initiated ...such as authentication, authorization, audit functions based on the source of the request, transport protocol and incoming content. Policy Decision Point (PDP) is where all decisions are made to allow a request to be processed or not.
The books drills lot of details about PEP and PDP...in Chapter 7.
</RN>


I don't know what do you mean by SQL Injections?

<RN>

SQL Injections are all about exploiting data input in web applications...where a hacker breaks into the application by injecting malicious data or a condition that initiates a malformed SQL query via the JDBC statement executed on the underlying database.
We recommend the use of Intercepting Validator to thwart SQL and other malformed data injection attacks.
</RN>


Secure Pipe pattern seems very usefull for web services security.

Alchemy of security Business Application is good to understand implementation flow.



<RN> Thanks for the comments </RN>


Description for implementing Security Policy in Check in item is interesting. Actually Check In item gives managerial aspect of implementing security.


<RN> Thanks again </RN>


For testing you suggested open source framework is prferable compare to
propriatory. But you haven't mentioned about any of open source framework can be used for white box testing of security.


<RN> We did recommend use of selected Opensource as well as commercial implementations for security testing in Chapter 14. We certainly don't want to give biased opinions when it comes to choosing software </RN>


Goodluck

/Ramesh

[ January 13, 2006: Message edited by: Jignesh Patel ]


[ January 13, 2006: Message edited by: Ramesh Nagappan ]
 
    Bookmark Topic Watch Topic
  • New Topic