Basic Definitions

In this section we are going to define basic concepts that will help better understand the terminologies used in the rest of this chapter.


A target system is defined from a hacker's perspective: That is, it is your system! It is referred to as a “target” because it is targeted by hackers. Although the term “target” is singular, all of your system components, including hardware, networking infrastructure, applications, frameworks, storage mechanisms, and the sensitive data they contain, together serve as the target for your adversaries. As it pertains to the application space, the two important classes of target are:

  • Native applications: Programs that run directly at the operating system level and do not depend on an intermediary runtime environment such as a Java Virtual Machine (JVM), a Microsoft .NET Common Language Runtime (CLR), or any other runtime to execute. Native applications can run standalone and could potentially have more privileges than their Web application counterparts.
  • Web apps: Programs that run inside a JVM, a CLR, or any other runtime, and depend on the services that are made available to them by the runtime, and therefore cannot run standalone.


As we noted in Chapter 4, security is a function of threat: Without a threat, security becomes an abstract concept that may not be of practical value to you. A threat is the potential for the threat-source to exploit a specific vulnerability or mount an actual attack. A threat-source ...

Get Web Commerce Security Design and Development now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.