There are no shortcuts. As explained in Chapter 4, aftermarket security means the end- user is resigned to perimeter-based security, dependent upon detection capabilities that cannot overcome the zero-day threat. The only remedy is a seemingly endless patching process. This model simply doesn't protect e-commerce environments of the present nor of future Web 2.0 in which data control is further diffused.

Applying security appropriately starts when the product is designed and engineered. This is the foundation for secure technology solutions and services and continues through the Security Value Life Cycle as defined earlier. The need for security metrics is paramount, and it is time to engage in the how part of this discussion.

Security design starts by applying the eight security dimensions of the ITU-T X.805 ("X.805") standard model and building products as component parts in an overall network solution with a direct relationship to the process and policy of certifications and compliance. Chapter 5 starts with a brief examination of the landscape of standards, certifications and regulatory compliance frameworks, postulating that the combination of X.805 and the ISO/ IEC 27000 series standards is the right approach.

The X.805 standard starts to answer one of the primary concerns: a framework to guide ...