aspose file tools*
The moose likes Security and the fly likes Authors:  Other Security areas Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Spring in Action this week in the Spring forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "Authors:  Other Security areas" Watch "Authors:  Other Security areas" New topic
Author

Authors: Other Security areas

John Hembree
hired gun
Ranch Hand

Joined: Mar 07, 2003
Posts: 250

Does the book go into any detail concerning the need to secure other areas of the application.

I don't think I would really expect a lot since this is a pattern book but it might have some information regarding that the app is only as secure as the entire solution and point users in the right direction to secure the other areas.
Ramesh Nagappan
Author
Ranch Hand

Joined: May 06, 2003
Posts: 159
The book is intended to deliver and ensure "End-to-End" Security of Java/J2EE applications - Security right from the Client interacting with the application to the protocol integrating the backend resource. We do cover other aspects of security such as "Single Sign-on", "Federation", "Service Provisioning" and Personal Identification strategies. In addition, the book also discusses the J2EE Network Topology requirements in terms of Designing the DMZ to support J2EE security architecture.

As a goal, the book recommends a "Patterns-driven" Security design and methodology to achieve end-to-end security from a Java architect/developer perspective. A reader would able to use the patterns effectively after understanding the basic Java security API...that's why the book covers the fundamentals ground up.

Does this help you.

/Ramesh


Ramesh Nagappan CISSP<br />Co-Author of "Core Security Patterns"<br />nramesh@post.harvard.edu<br /><a href="http://www.coresecuritypatterns.com" target="_blank" rel="nofollow">www.coresecuritypatterns.com</a>
John Hembree
hired gun
Ranch Hand

Joined: Mar 07, 2003
Posts: 250

I'm not sure that you understood my question and quite possibly I didn't understand your answer.

I was looking for something along the lines of any information regarding the complete solution. Let's say I use this book and built the perfect application addressing every security issue within the realms of Java. The program was flawless, but then I installed the app on a server that I don't keep patched. It sits out in a DMZ or possibly inside my network without any firewall rules. The database server is sitting on the same box as the app. I don't know what else would be bad for me to do with my strong app but having compromised the other areas of my solution?

Do you have any generalized instructions of other steps I can take to secure my solution not just the application? Larger clients may have a security deartment that keeps all of things things in mind when deploying a solution. Is there anything that I can use within the book to guide me to other areas of security?
Ramesh Nagappan
Author
Ranch Hand

Joined: May 06, 2003
Posts: 159
Originally posted by John Hembree:
I'm not sure that you understood my question and quite possibly I didn't understand your answer.

I was looking for something along the lines of any information regarding the complete solution. Let's say I use this book and built the perfect application addressing every security issue within the realms of Java. The program was flawless, but then I installed the app on a server that I don't keep patched. It sits out in a DMZ or possibly inside my network without any firewall rules. The database server is sitting on the same box as the app. I don't know what else would be bad for me to do with my strong app but having compromised the other areas of my solution?

Do you have any generalized instructions of other steps I can take to secure my solution not just the application? Larger clients may have a security deartment that keeps all of things things in mind when deploying a solution. Is there anything that I can use within the book to guide me to other areas of security?



John,

Technically speaking the focus of our book and the identified patterns and best practices are targeted to support architects and developers involved with J2SE/J2EE/J2ME/JavaCard, XML Web services, Identity Management and Service Provisioning.

I am bit confused about 'What you mean as "other areas of security" ? Are you referring to other OS platforms or application languages ? Are you referring to Network or Physical security ? Could you please list those areas ? Let us see where the book can help.

For better understanding about the goals of this book, you may visit our book web site and take a glimpse of the free chapter and our presentations to RSA Security and JavaONE conferences.

/Ramesh
John Hembree
hired gun
Ranch Hand

Joined: Mar 07, 2003
Posts: 250

I guess I was looking for a list of other security concerns outside of the application. Something that would say, "Now that you have a secure application you need to look at XXX to be really secure". Is the server behind a locked door? Is there limited logon access to the box to keep everybody from logging into. Is the hard drive shared with Everyone granted full control for those Windows environments, etc.

Is there any suggestions for securing the application beyond the application itself?
Ramesh Nagappan
Author
Ranch Hand

Joined: May 06, 2003
Posts: 159
John,

Ofcourse, the book provides a check-list (numerous to write here) for pro-active security assessment at every stages of the application development process and prior to production deployment. It does identify all other enviromental dependencies (weakest links) that impacts an organization's application security in terms of Network security (Firewalls, IDS, Router ACLs), Transport security (SSL,IPSec), Host environment (OS Hardening & Minimization), users/groups/roles (Realms), PKI/Crypto hardware (Encryption/DSIG), Identity provider (Policy, SSO,Federation), Honeypots, Monitoring, Auditing and Reporting for regulatory compliance (ex. Sarbanes-Oxley, GLBA, HIPPA).

In each "Patterns & Design Strategies" the book lists the "Best practices and Pitfalls" considerations for application development, production deployment, monitoring, auditing and reporting. The book contains 101 bestpractices to support the various aspects of Java/J2EE architecture and Web services.

Hope this helps.

/Ramesh
John Hembree
hired gun
Ranch Hand

Joined: Mar 07, 2003
Posts: 250

Thanks for the reply.
Jignesh Patel
Ranch Hand

Joined: Nov 03, 2001
Posts: 626

John,
Chepter 8 will give you more detail answers for your question.
 
jQuery in Action, 2nd edition
 
subject: Authors: Other Security areas