NETWORK WORLD NEWSLETTER: ANDREAS M. ANTONOPOULOS ON THE DATA CENTER 09/07/04 Today's focus: Securing homegrown applications for the data center
Dear [EMAIL PROTECTED], In this issue: * Homegrown apps can have security holes, too * Links related to Data Center * Featured reader resource _______________________________________________________________ This newsletter is sponsored by Intel A NW Special Report: The State of Wireless LANs Wireless has becomes more integrated and accepted as a way of doing business. However, several questions are raised about its current state; what are the trends and best practices for deploying wireless LANs? What are the leading applications? What are the tradeoffs in current wireless standards? What are the best options for wireless infrastructures and security mechanisms? Click here to download your copy, no registration required http://www.fattail.com/redir/redirect.asp?CID=79121 _______________________________________________________________ VORTEX 2004: Setting the IT Agenda As the IT industry shifts from a client/server-based model to true Web-based computing, how will these changes impact your IT architecture? Through frank one-on-one interviews with top executives, lively Q&As, and spirited panel discussions, VORTEX 2004, held October 4-6 at the Bacara Resort & Spa in Santa Barbara, California will help you find the answers. For more information and to register, visit: http://www.fattail.com/redir/redirect.asp?CID=79696 _______________________________________________________________ Today's focus: Securing homegrown applications for the data center By Andreas M. Antonopoulos Enterprise data centers often contain a lot of "homegrown" applications and application components. Whether these are entire applications or small, business-logic fragments running on an application server, they are often part of large, complex and mission-critical systems. Although security experts often criticize the vulnerabilities of operating systems and proprietary applications, these homegrown applications are also vulnerable. Unlike commercial products, these applications do not receive scrutiny from a very wide audience. This is a mixed blessing: broader use of commercial applications will expose more bugs that lead to broad-based exploits such as worms. Homegrown applications are less likely to contain easily discoverable bugs, but can be the target of a much more dangerous type of attack, a directed and deliberate attack against just one enterprise: yours. Bugs lurking in a privately developed application can remain unnoticed for years with no ill effect. Unfortunately, these bugs are exposed when the application is delivered outside the company's perimeter, to partners or clients (or the public). Your development team may be unique, but the programming errors they make lead to all-too-common security vulnerabilities. Even commercial applications that are very heavily tested are still plagued with vulnerabilities, like buffer overflows, that arise from just a handful of bad programming habits. You can protect your enterprise applications by laying on firewalls, intrusion detection systems, host intrusion detection systems and other security controls, but this can be a very expensive and often ineffective approach. As with commercial applications, security starts at, or before, the design stage of the software development lifecycle. In a recent study by Nemertes Research, we found that IT executives expend 80% or more of their efforts on security before deploying applications. Here are some of the things that your peers are doing to secure applications during development: * Picking the most secure platform for the job. At the requirements stage, you can choose what platform your application will run on - operating system, application server, virtual machine, programming language, compiler. All of these choices can influence how secure the final product is. * Getting security specialists involved in design. Several studies have shown that "secure by design" applications are up to an order of magnitude cheaper to secure than applications that have security "bolted-on" later. A security specialist should have input or direct participation in the design team. * Balancing features against security. It is tempting to keep adding features to an application, but each new feature creates additional security risks. One of the most fundamental design choices your team can make is finding the right balance between features and security. Some operating system vendors have yet to find this balance despite efforts to increase security. * Pre-built security libraries: Your software development team will often need to use certain security functions, such as user authentication or password storage. If you create a well-tested and carefully written library of secure software components for such tasks, you can avoid many of the most common programming errors. Bottom line: Security is much less expensive to apply if it is included at the earliest stages of software development. With proper training and good software engineering practices, you can avoid many common programming errors that lead to insecure applications. RELATED EDITORIAL LINKS How to deal with the 'porous perimeter' Network World Data Center Newsletter, 06/01/04 http://www.nwfusion.com/nldatacenter541 _______________________________________________________________ To contact: Andreas M. Antonopoulos Andreas M. Antonopoulos is principal research analyst at Nemertes Research. He can be reached at <mailto:[EMAIL PROTECTED]> _______________________________________________________________ This newsletter is sponsored by Intel A NW Special Report: The State of Wireless LANs Wireless has becomes more integrated and accepted as a way of doing business. However, several questions are raised about its current state; what are the trends and best practices for deploying wireless LANs? What are the leading applications? What are the tradeoffs in current wireless standards? What are the best options for wireless infrastructures and security mechanisms? Click here to download your copy, no registration required http://www.fattail.com/redir/redirect.asp?CID=79121 _______________________________________________________________ ARCHIVE LINKS Archive of the Data Center newsletter: http://www.nwfusion.com/newsletters/datacenter/index.html Data Center research center: http://www.nwfusion.com/topics/datacenter.html _______________________________________________________________ FEATURED READER RESOURCE CHECK OUT NW FUSION'S NEW WHITE PAPER LIBRARY NW Fusion's White Paper Library was recently re-launched with new features and improved capabilities! Sort NW Fusion's library of white papers by Date and Vendor, view white papers by TECHNCIAL CATEGORY, mouse over white paper descriptions and take advantage of our IMPROVED white paper search engine. CLICK HERE: <http://www.nwfusion.com/vendorview/whitepapers.html> _______________________________________________________________ May We Send You a Free Print Subscription? You've got the technology snapshot of your choice delivered at your fingertips each day. Now, extend your knowledge by receiving 51 FREE issues to our print publication. Apply today at http://www.subscribenw.com/nl2 International subscribers click here : http://nww1.com/go/circ_promo.html _______________________________________________________________ SUBSCRIPTION SERVICES To subscribe or unsubscribe to any Network World e-mail newsletters, go to: <http://www.nwwsubscribe.com/Changes.aspx> To unsubscribe from promotional e-mail go to: <http://www.nwwsubscribe.com/Preferences.aspx> To change your e-mail address, go to: <http://www.nwwsubscribe.com/ChangeMail.aspx> Subscription questions? Contact Customer Service by replying to this message. This message was sent to: [EMAIL PROTECTED] Please use this address when modifying your subscription. _______________________________________________________________ Have editorial comments? Write Jeff Caruso, Newsletter Editor, at: <mailto:[EMAIL PROTECTED]> Inquiries to: NL Customer Service, Network World, Inc., 118 Turnpike Road, Southborough, MA 01772 For advertising information, write Kevin Normandeau, V.P. of Online Development, at: <mailto:[EMAIL PROTECTED]> Copyright Network World, Inc., 2004 ------------------------ This message was sent to: [EMAIL PROTECTED] ------------------------ Yahoo! Groups Sponsor --------------------~--> $9.95 domain names from Yahoo!. Register anything. http://us.click.yahoo.com/J8kdrA/y20IAA/yQLSAA/BCfwlB/TM --------------------------------------------------------------------~-> Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/kumpulan/ <*> To unsubscribe from this group, send an email to: [EMAIL PROTECTED] <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/
