• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Paul Clapham
  • Ron McLeod
  • Tim Cooke
  • Junilu Lacar
Sheriffs:
  • Rob Spoor
  • Devaka Cooray
  • Jeanne Boyarsky
Saloon Keepers:
  • Jesse Silverman
  • Stephan van Hulst
  • Tim Moores
  • Carey Brown
  • Tim Holloway
Bartenders:
  • Jj Roberts
  • Al Hobbs
  • Piet Souris

To authors - payment industry standards

 
Ranch Hand
Posts: 199
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,
I am very excited and glad to know that I'll soon be able to dive deep into the best practices in security schemes. I hope you have covered the security aspects as applicable to the payment processing industry, where the security needs are tremendous. Specifically, I would be interested in some of the following topics:

Access control: Rule based dynamic approach and role based access
control.

Identification services.

FIPS standards.

Practical limitation of setting high water marks.

How to achieve end-to-end identity management in real time (ie, from customer to the acquiring and issuing bank and back to the customer).

Effects of encryption on real-time payment processing.
Thanks and looking forward, Sudd
 
Ranch Hand
Posts: 150
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I was disappointed to not get to see a table of contents and index for the book out on Amazon. I know that's not likely the authors' doing, but passing along that feedback. Speaking as someone who's done a good bit of .NET programming of late, I wonder if the authors could speak to how much of the text is J2EE-specific, and how much would be more widely applicable. I expect that since this is a patterns book, it should be more widely applicable. Definitely interested in some of the various topics listed in the book blurbs.
 
Author
Posts: 159
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Sudd Ghosh:
Hi,
I am very excited and glad to know that I'll soon be able to dive deep into the best practices in security schemes. I hope you have covered the security aspects as applicable to the payment processing industry, where the security needs are tremendous. Specifically, I would be interested in some of the following topics:

<RN> The focus of this book primarily builds around Java and J2EE based technologies. We also covered the XML Security standards and standards based technologies for Web services, Identity Management and Service Provisioning. The book does not delve into vertical-industry specific security aspects.The key reason is we want to make sure that we are agnostic about vertical-industry segments....as "information security" is a common goal to all industry segments. So as long as your application makes uses of Core Java technologies or Java based Web services, identity management solution...I am sure the patterns and best practices described in this book will help </RN>

Access control: Rule based dynamic approach and role based access
control.

<RN> The book digs into a lot of details and approaches for building RBAC in Java/J2EE applications and also making use of XACML standards for supporting XML Web services </RN>

Identification services.

<RN> The book has a dedicated chapter (Chapter 15) on Personal Identification using Smart cards and Biometrics. It discusses on the role of personal identification technolgies in combating identity crimes. We present the enabling technologies, architecture and implementation strategies for using smartcards and biometric technologies for identification and authentication services. </RN>

FIPS standards.

<RN> Although the book has no scope to address the details of FIPS. We did discuss about the FIPS-140-1 compliance for cryptographic devices, smartcard readers and biometric scanners. </RN>

Practical limitation of setting high water marks.

<RN> The book has no planned scope to discuss about HVM. From a security implementation standpoint, to support confidentiality and intergrity protection you would able to use "Secure Logger" and "Audit Interceptor" patterns for ensuring secure logging and auditing. </RN>


How to achieve end-to-end identity management in real time (ie, from customer to the acquiring and issuing bank and back to the customer).

<RN> We have a full-fledged case study that disusses on the end-to-end security design with federated Identity management. Refer to Chapter 14 - Case study showing a "Web Portal" that integrates multiple enterprise via Identity management. </RN>

Effects of encryption on real-time payment processing.

<RN> There is always a performance overhead due to encryption and validating digital signatures. This could be overcome by using cryptographic accelerators. You may refer to SecurePipe pattern (Chapter 9) for details </RN>

Goodluck

/Ramesh

Thanks and looking forward, Sudd

 
Ramesh Nagappan
Author
Posts: 159
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Tina Coleman:
I was disappointed to not get to see a table of contents and index for the book out on Amazon. I know that's not likely the authors' doing, but passing along that feedback. Speaking as someone who's done a good bit of .NET programming of late, I wonder if the authors could speak to how much of the text is J2EE-specific, and how much would be more widely applicable. I expect that since this is a patterns book, it should be more widely applicable. Definitely interested in some of the various topics listed in the book blurbs.



<RN>
Please refer to the Table of Contents posted in the book Web site - http://www.coresecritypatterns.com. The authors have no idea how amazon gets info !
Most patterns can be applied to Microsoft .NET platform based apps (Chris and I are parallely working on it, but we would like to test them as proven solution equivalent to J2EE before we disclose it to .NET community..so pleas stay tuned).
</RN>
[ January 12, 2006: Message edited by: Ramesh Nagappan ]
 
Sudd Ghosh
Ranch Hand
Posts: 199
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks a lot Ramesh. Though currently I work in a J2EE environment, I am sure the patterns will prove useful in designing any kind of security infrastructure. Many of the payment systems that I have seen so far, do not run on Java/J2EE, but rather on C++ or mainframe.
Regards, Sudd
 
Ramesh Nagappan
Author
Posts: 159
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Your are welcome.

C++/C based applications and Mainframes are not going away....they do live forever to save Jobs.

Goodluck

/Ramesh
 
reply
    Bookmark Topic Watch Topic
  • New Topic