Appendix A. Building Secure Products and Solutions
Ashok K. Gupta, Uma Chandrashekhar, Suhasini V. Sabnis, and Frank A. Bastry
Many security vulnerabilities in current information technology (IT) solutions and products are the result of a piecemeal "strap-on" security approach. The inclusion of many security add-ons, such as firewalls, antivirus software, intrusion detection systems (IDSs), and intrusion prevention systems (IPSs), may imply that the security objectives were an after thought, not adequately defined initially, or that the required security objectives were never met by the individual system components. In fact, a "grounds-up" Approach to security, where each component is individually secure, in a defined network deployment scenario helps meet the need of minimal risk exposure. Security should not be bolted on; rather, it should be the prime consideration from the beginning and throughout the entire lifecycle – from concept to deployment and on going operation for each product in the solution. Given the ever-increasing sophistication of attacks, developing and monitoring secure product shave become increasingly difficult.
Despite the wide-scale awareness of common security flaws in soft-ware products, e.g., buffer overflows, resource exhaustion, and structured query language (SQL) injection, the same flaws continue to exist in some of the current products. The objective of this paper is to introduce a technology-agnostic approach to integrating security into the product ...
Get Security in a Web 2.0+ World: A Standards-Based Approach now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.