PLoP 2002
Proceedings
Call for papers
Focus Topics
Paper Submissions
Schedule
Registration
Location
Call for Volunteers
All PLoPs


FOCUS TOPIC 3

Patterns for Securing (Enterprise) Software Applications

As Internet and e-business are gaining interest, security is becoming more important.
Standard 'perimeter security' approach (firewalls) do not offer sufficient protection.

As far as application security is concerned, there are some general methodologies for security design like ITSEC etc.
" Their application often requires very sophisticated knowledge of formal and mathematical techniques (e.g. 'Z').
" Nontrivial time and money investment, required in order to secure an application that way, might be excessive.
" Most of the commercial applications might not even need that level of sophistication.

What I believe has to be done is:

1. To come up with methods that would start by treating security as an integral part of application development process (which is to some extent already recognized as a need).

2. If we want software developers to implement security efficiently, we should come up with methods that start from the software architectural view of the application instead of starting from security reference models prescribed in documents that are not readable by the most software developers.

Working in 'Motorola Internet and Networking Group' as software architect / secure protocol architect and now in the Bank where I am on the 'other side of the fence' assessing applications' security, I can see that there is a big gap between software architects and security people.

In the paper that I am preparing for the conference I will address some of the security issues using the 'software architecture centric' approach. Since security is affected by all the aspects of the development (process, design, coding practices etc.), I would suggest that special focus topic is introduced where some patterns of (un) successful security implementation would be discussed.

Contact: Miroslav Kis, PhD. CISSP
Senior Advisor / Manager
Strategies and Technology
Information Security
Bank of Montreal Group of Companies
Email: [email protected] Voice: (416) 513-5283






PLoP is a trademark of The Hillside Group, Inc. Questions/comments to: webmaster.