Chapter 1. A Security Primer

Securing computer and network systems, along with the information and the knowledge therein, is as important as, if not more than, protecting other forms of assets such as buildings, roads, consignments, trade secrets, and confidential information critical to the functioning of businesses and governments. News headlines of high profile electronic security attacks and many surveys of corporate IT (Information Technology)^[1] security staff confirm that the incidence of electronic attacks is on the rise and is having significant adverse impact on the government, industry and people.

^[1] Information Technology is a fuzzy term used for technologies to process, store and transport information in digital form.

A number of factors contribute to this trend, a primary one being the fact that a lot of existing systems, applications and processes were not designed or implemented to withstand such attacks. In many instances, even systems designed with security as one of the goals were later found to contain implementation problems or vulnerabilities, as they are generally known. Such vulnerabilities allow unauthorized persons or attackers to gain entry into the victim's computer system. A compromised system could be used to access confidential information, perform illegal transactions or even launch attacks on other systems. As we see later in the chapter, such security breaches could cause significant loss, financial or otherwise, to the owner of the compromised systems.

With growing reliance on computer systems for all sorts of activities—stock market operations, news gathering and delivery, company internal record keeping, company to company transactions, consumer oriented e-commerce, national power grid management, governance of the country and what not—it is imperative these systems keep functioning as intended and be secured from malicious attacks.

There are many aspects to build, deploy and operate secure systems, going far beyond the practice of programming and developing software applications. Though our primary objective in this book is to use J2EE (Java2 Platform, Enterprise Edition) technology to build secure applications, it would be helpful to begin with a broader discussion and understand how an application fits within the overall security landscape. This is what the present chapter aims to accomplish.