27.1. Key Security Concepts
Security is best tackled in a holistic manner, by considering not just the application, but also the host and network environment where it is deployed. There's no use spending time encrypting your database connection strings if the administrator password is easy to guess!
One approach to implementing effective security is to consider the possible risks and threats to your application. Called threat modeling, this technique involves identifying threats, vulnerabilities, and most importantly, countermeasures for your specific application scenario.
When it comes to security threat modeling, it's a good idea to approach the world with a healthy dose of paranoia. As Kurt Cobain said, "Just because you're paranoid doesn't mean they aren't after you."
Table 27-1 categorizes the areas that should be considered as part of a threat modeling exercise.
| Category | Considerations |
|---|---|
| Authentication | How do we verify a user and match this user with an identity in the system? Authentication is the process in which a user or system proves its identity. This is typically done either through something the user knows, such as a username and password, or has, such as a certificate or security token. |
| Authorization | What can a user do within the application? Authorization is how your application controls access to different resources and operations for different identities. |
| Data Input Validation | Is the data that has been entered both valid and safe? ... |
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access