אליק לוין

עולמו של יועץ ממיקרוסופט

"I do want to write secure code, where do I start?..."

That's great! If someone already wants to spend her time/money/resources [which are aparently all the same] building more secure software then it could be considered already as a great start. To me, application security is not different from other application feature - really it is not. And if you adopt  this approach then it is easy to handle it throught the dev projects lifecycle - no matter where the project currently is [planning, architecture, coding etc.]. If you treat Security as a feature then you can apply your skills of treating any other features, e.g. requirements, designing, building, testing, deploying, maintaining.

"Right, security is a feature. I do not get it... Is it authN, authZ, SSL, firwall?".

Who asked that? This is great question. And we do have great answer and it is Security Frame that consists of ten items [follow the link, and do not forget to check on the page's rating]

Now I guess it is much easier to handle App Security through the dev lifecycle what it has flesh and blood.

"So, where do I start?".

Oh, right...From Security Engineering perspective there is something to assist you in each project's phase. That "Something" usually consits of guidance content, checklists, and how-to's [there are actually lots more..] - start here.

Enjoy

פורסם: Apr 19 2006, 08:10 PM by alikl | with 3 comment(s)
תגים:,

תוכן התגובה

Arnon Rotem-Gal-Oz כתב/ה:

Hi Alik,
First off, congrat. on your new blog :)

You said " To me, application security is not different from other application feature - really it is not"
The problem is that it isn't
On the one hand it doesn't really add functionality to the project - and many times it makes problems to other aspects of the software like performance (things can take longer since you need decrytion or you need to unicast or whatever), usability (you suddenly have to key those funky passwords etc.) - the result of this is that Security can get neglected.
On the other hand - Security is a system-wide, which makes it an architectural issue ("a system quality attribute")  You can't just step to the final iteration and say, ok , all we have left now is to add the bar graph, oh yeah , and security too.
The result of this is that you need to build it into the product/project carefully and from the beginning.

Arnon
# April 20, 2006 6:58 PM

alik levin's כתב/ה:

But I actually was looking at my blogs' endless list of comments [exactly 2] and one of which was...
# September 29, 2006 9:12 PM

alik levin's כתב/ה:

But I actually was looking at my blogs' endless list of comments [exactly 2] and one of which was from

# November 24, 2006 11:35 PM