YOUR FEEDBACK
Bill Miller wrote: Good article. Data Services is a great place to get value from SOA, and a great...
Oct. 10, 2008 11:35 AM
Did you read today's front page stories & breaking news?
SYS-CON.TV: Eclipse Adds SOA, AJAX, and Flex Tools. Guests Mike Milinkovich and Mike Tylor


2008 East
DIAMOND SPONSOR:
Data Direct
Frontiers in Data Access: The Coming Wave in Data Services
PLATINUM SPONSORS:
Red Hat
The Opening of Virtualization
Intel
Virtualization – Path to Predictive Enterprise
Green Hills
IT Security in a Hostile World
JBoss / freedom oss
Practical SOA Approach
GOLD SPONSORS:
Software AG
The Art & Science of SOA: How Governance Enables Adoption
PlateSpin
Effective Planning for Virtual Infrastructure Growth
Fujitsu
Automated Business Process Discovery & Virtualization Service
Ceedo
Workspace Virtualization
Click For 2007 West
Event Webcasts

2008 East
PLATINUM SPONSORS:
Appcelerator
Think Fast: Accelerate AJAX Development with Appcelerator
GOLD SPONSORS:
DreamFace Interactive
The Ultimate Framework for Creating Personalized Web 2.0 Mashups
ICEsoft
AJAX and Social Computing for the Enterprise
Kaazing
Enterprise Comet: Real–Time, Real–Time, or Real–Time Web 2.0?
Nexaweb
Now Playing: Desktop Apps in the Browser!
Sun
jMaki as an AJAX Mashup Framework
POWER PANELS:
The Business Value
of RIAs
What Lies Beyond AJAX?
KEYNOTES:
Douglas Crockford
Can We Fix the Web?
Anthony Franco
2008: The Year of the RIA
Click For 2007 Event Webcasts
SYS-CON.TV
TOP THREE LINKS YOU MUST CLICK ON


Applications
Building Security into Software with Security Policies & Static Analysis
Security, like quality, must be built into the application - not achieved through bug-finding

By: Dr. Adam Kolawa
Feb. 19, 2008 04:15 PM

The common approach to securing applications is to try to identify and remove all of the application's security vulnerabilities at the end of the development process. However, this bug-finding approach is not only resource-intensive, it's largely ineffective. To have any chance of exposing all of the security vulnerabilities that may be nested throughout the application, the team would have to identify every single path through the application then rigorously test each and every one. And any error found would be difficult to fix, considering that the effort, cost, and time required to fix each one increases exponentially as the development process progresses. Most importantly, the bug-finding approach to security fails to address the root cause of the problem - the fact that security, like quality, must be built into the application.

Building security into an application involves designing and implementing the application according to a policy for reducing the risk of security attacks then verifying that the policy is implemented and operating correctly.

Published Feb. 19, 2008— Reads 7,155
Copyright © 2008 SYS-CON Media. All Rights Reserved.
Related Stories
▪ SOA Best Practices - Four Steps to Securing Your Web Services
▪ OSS: A Tactical Plan for Building Applications
▪ SOA World - Exclusive Q&A with Dr Adam Kolawa, Co-founder & CEO of Parasoft
About Dr. Adam Kolawa
Adam Kolawa is the co-founder and CEO of Parasoft, leading provider of solutions and services that deliver quality as a continuous process throughout the SDLC. In 1983, he came to the United States from Poland to pursue his PhD. In 1987, he and a group of fellow graduate students founded Parasoft to create value-added products that could significantly improve the software development process. Adam's years of experience with various software development processes has resulted in his unique insight into the high-tech industry and the uncanny ability to successfully identify technology trends. As a result, he has orchestrated the development of numerous successful commercial software products to meet growing industry needs to improve software quality - often before the trends have been widely accepted. Adam has been granted 10 patents for the technologies behind these innovative products. Kolawa, co-author of Bulletproofing Web Applications (Hungry Minds 2001), has contributed to and written over 100 commentary pieces and technical articles for publications including The Wall Street Journal, Java Developer's Journal, SOA World Magazine, AJAXWorld Magazine; he has also authored numerous scientific papers on physics and parallel processing. His recent media engagements include CNN, CNBC, BBC, and NPR. Additionally he has presented on software quality, trends and development issues at various industry conferences. Kolawa holds a Ph.D. in theoretical physics from the California Institute of Technology. In 2001, Kolawa was awarded the Los Angeles Ernst & Young's Entrepreneur of the Year Award in the software category.

LATEST JAVA STORIES & POSTS
By Adam Lieber
In the past couple of years, interest in Jetty has surged. Jetty is an open source Java-based web and application server and servlet container, but what else do you know about it? To commemorate the 12th anniversary of Jetty, here are 12 things that might surprise you
By RIA News Desk
JavaScript is one of the most interesting and misunderstood programming languages in common use today. Most developers will go their entire careers without realizing its full potential. It's not often that you get a language that supports the feature set that JavaScript does, whi...
By RIA News Desk
JavaScript 2 is becoming increasingly important. Learn how to take advantage of JavaScript 2 while still running in today's browsers. Leverage your current JavaScript and HTML skills to build applications that run in Flash 7-9, DHTML and more with no code changes! OpenLaszlo 4.2 ...
By RIA News Desk
JavaScript is a language with more than its share of bad parts. It went from non-existence to global adoption in an alarmingly short period of time. It never had an interval in the lab when it could be tried out and polished. JavaScript has some extraordinarily good parts. In Jav...
By Paul O'Connor
The one thing that unifies the distributed computing style known as SOA, in most of its manifestations, is self-describing data via the Extensible Markup Language (XML). The benefits of XML over opaque message formats in data interchange are well established. No matter if your fo...
By Alan Williamson
Cloud computing is an opportunity for businesses to implement low-cost, low-power and high-efficiency systems to deliver scalable infrastructure. But moving to a cloud infrastructure is not necessarily as nice and clean as the providers would want you to think. With cloud infrast...
SUBSCRIBE TO THE WORLD'S MOST POWERFUL NEWSLETTERS
SUBSCRIBE TO OUR RSS FEEDS & GET YOUR SYS-CON NEWS LIVE!
Click to Add our RSS Feeds to the Service of Your Choice:
Google Reader or Homepage Add to My Yahoo! Subscribe with Bloglines Subscribe in NewsGator Online
myFeedster Add to My AOL Subscribe in Rojo Add 'Hugg' to Newsburst from CNET News.com Kinja Digest View Additional SYS-CON Feeds
Publish Your Article! Please send it to editorial(at)sys-con.com!

Advertise on this site! Contact advertising(at)sys-con.com! 201 802-3021

SYS-CON FEATURED WHITEPAPERS

MOST READ THIS WEEK
By Jos Dirksen; Tijs Rademakers
By .NETDJ News Desk
By Maureen O'Gara
By James Irwin
By Java News
By Java News
By Adam Lieber
SPONSORED BY INFRAGISTICS
In every field of design one of the first things students do is learn from the work of others. They ...
Oct. 7, 2008 11:15 PM
There are many forces that influence technological evolution. After a decade of building enterprise ...
Jun. 30, 2008 03:45 PM
2008 is going to be an important year for Rich Internet Applications. Most organizations are deliver...
Jun. 20, 2008 12:45 PM
The OpenAjax Alliance is developing an Ajax industry wishlist for future browsers, using a dedicated...
Jun. 18, 2008 07:45 PM
Infragistics announced the availability of two Community Technology Preview (CTP) User Interface (UI...
Jun. 4, 2008 08:00 AM
The YUI development team has released version 2.5.2; you can download the new release from SourceFor...
Jun. 2, 2008 05:00 AM
ADS BY GOOGLE
BREAKING JAVA NEWS
SYS-CON MEDIA