The posts over the next few days concern application security. What does that term signify? Well, there are several dimensions to computer security. First, there is physical security, controlling who has physical access to the hardware. Then, there is system access control, which is about controlling who is permitted to log on to the computers to perform such administrative tasks as the backing up of data, and the managing the applications deployed on the machines. Third, there is network access control, which is the issue of controlling who is permitted to access the network by which the computers are interconnected. Fourth, there is application infrastructure security, which is about securing the operating system, the HTTP server and the relational database management system that constitute the infrastructure of the applications running on the computers. And then, finally, we get to application security, which may be understood as the solution to two problems: first, the problem of user authentication, controlling who can access one’s application, and second, the problem of authorization, controlling what the users who are granted access to the application are allowed to do. So, in discussing application security, we are assuming that users are entitled access the physical hardware on which the application is deployed, and we are further assuming that they are entitled to log on to the machine and connect to the network. They may or may not be allowed to administer the machine, or to fiddle with the HTTP server or the database that the application depends on. With application security, all we are concerned about is controlling whether a user can access our application, and controlling what features of the application they are allowed to use.
[This posting is provided "AS IS" with no warranties, and confers no rights.]