Security in Application Design
Input validation is a commonly discussed aspect, and is an essential component of application development. The ability to validate input data can be accomplished only if the application design sets the rules for all forms of data input and interaction. Flexible designs often have common layers and libraries for validating input that can easily be plugged into any module that receives or transmits data.
Data protection refers to the fact that there are differing classes of data within any application. Some types of data are not sensitive and require no privacy protection. Other types of data would be considered extremely sensitive and would benefit from some form of privacy. Aspects of privacy that the application designer should look at are:
- Memory separation and isolation: consider moving sensitive information to isolated processes, hardware, or systems.
- Encryption of stored or in-memory data: the use of encryption can enhance the security of an application, especially where the exposure of critical data has widespread negative effects (compliance, legal, and safety).
Use the guidelines here as an impetus to think and analyze at a deeper level about what your application is going to do, how it will respond to many different scenarios, and how you can enhance the security by spending a little more time designing. Look for future articles that cover possible designs and models that you can use in your applications.
About the Author
Chad Cook has spent over a dozen years in Information Security that include both product engineering and IT services. Chad has developed IT service security strategies, networks and policies for organizations including BBN and GTE Internetworking, Infolibria, and the international security consulting firm, @stake/Symantec. He has architected and developed security technology for award-winning networking products sold worldwide, including core routers, edge devices, utility hosting systems and web services security devices. Chad has nine patents applied for and pending on security analysis, modeling techniques, and security processing acceleration.
Currently, Chad is the VP of Information Security at Lime Group, a New York securities and brokerage organization, where he leads product architecture, infrastructure security and compliance efforts. Prior to Lime Group, he designed and developed security risk management and threat modeling products as CTO at Black Dragon Software. Chad has held lead engineering and security positions developing products at BBN, Infolibria, Forum Systems, and Zetari, Inc. Chad is an internationally published author on security topics having contributed to two books, Maximum Security, 3rd and 4th editions, has been featured in numerous articles and also has written articles for Symantec's SecurityFocus.com.
A frequent speaker, Chad has spoken at NATO and United Nations forums
on security, numerous conferences, analyst's events and security
Page 2 of 2