|
Patterns for Securing (Enterprise)
Software Applications
As Internet and e-business are gaining
interest, security is becoming more important.
Standard 'perimeter security' approach (firewalls) do not
offer sufficient protection.
As far as application security is concerned,
there are some general methodologies for security design
like ITSEC etc.
" Their application often requires very sophisticated
knowledge of formal and mathematical techniques (e.g. 'Z').
" Nontrivial time and money investment, required in
order to secure an application that way, might be excessive.
" Most of the commercial applications might not even
need that level of sophistication.
What I believe has to be done is:
1. To come up with methods that would
start by treating security as an integral part of application
development process (which is to some extent already recognized
as a need).
2. If we want software developers to implement
security efficiently, we should come up with methods that
start from the software architectural view of the application
instead of starting from security reference models prescribed
in documents that are not readable by the most software
developers.
Working in 'Motorola Internet and Networking
Group' as software architect / secure protocol architect
and now in the Bank where I am on the 'other side of the
fence' assessing applications' security, I can see that
there is a big gap between software architects and security
people.
In the paper that I am preparing for the
conference I will address some of the security issues using
the 'software architecture centric' approach. Since security
is affected by all the aspects of the development (process,
design, coding practices etc.), I would suggest that special
focus topic is introduced where some patterns of (un) successful
security implementation would be discussed.
Contact: Miroslav Kis, PhD. CISSP
Senior Advisor / Manager
Strategies and Technology
Information Security
Bank of Montreal Group of Companies
Email: miroslav.kis@bmo.com
Voice: (416) 513-5283
|
