[prev in list] [next in list] [prev in thread] [next in thread]
List: osdl-security-sig
Subject: [Security_sig] Re: Draft: DCL Mid-Tier Application Server Profile
From: "Ed Reed" <ereed () novell ! com>
Date: 2005-04-28 18:00:34
Message-ID: s270d073.026 () sinclair ! provo ! novell ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
That should say business logic, not business login, in the 3rd paragraph.
> > > Ed Reed 04/28/05 1:57 pm >>>
Here's my first take on the description of what I mean by a Mid-Tier Application \
Server. There are aspects, in this description, of environmental assumptions, \
security objectives, risk analysis, etc. It's in English, though, or at least tries \
to be. It's almost a short use case.
I'll follow with descriptions of the other profiles shortly.
Your comments and suggestions welcome (at least until I see them ;-)
Ed
======================
Mid-Tier Application Server
This is the classic mid-tier (in a three-tier architecture) application server, \
providing processing for applications that generally drive against databases held on \
a Database server (see 2.1.1, above). One or many different applications may share \
the same server, and each may have its own configuration and administration \
responsible persons. Keeping applications from getting in each others way, whether \
through version conflicts between shared libraries and resources, crashes, isolation \
of each others configurations and data, etc. is vital to avoid having one poorly \
written or administered application from crashing the entire application service \
platform. Separating administrative duties among the various application \
administrators is vital.
Users may access the system directly or through portals (see 2.1.3 Edge / Public \
Facing servers, below). Though protected by firewalls, application access protocols \
(SOAP, HTTP, RPC, DCE, etc.) may be susceptible to buffer overflow and cross-site \
scripting attacks through the firewall holes that enable access to applications.
The principle asset protected on the application server is the business login of the \
enterprise, the flow of transactions, the decisions that are made, the reports that \
are created, and the access to information provided. Loss of service of an \
application, or more severely, several applications through the loss of the server, \
may have serious financial impact on an organization, though the loss of on-line \
sales, failure to respond to requests for information, increased customer, partner, \
or employee frustration, etc. Denial of service is a serious risk.
[Attachment #5 (text/html)]
<html>
<head>
<DEFANGED_style type="text/css">
<!--
body { margin-top: 4px; margin-bottom: 1px; line-height: normal; margin-left: \
4px; margin-right: 4px; font-variant: normal }
-->
</DEFANGED_style>
</head>
<body>
<DIV> That should say "business logic", not "business \
login", in the 3rd paragraph.<br><br>>>>Ed Reed 04/28/05 1:57 pm \
>>><br> </DIV>
<div>
<div>
<DIV> Here's my first take on the description of what I mean by \
a Mid-Tier Application Server.  There are aspects, in this \
description, of environmental assumptions, security objectives, risk \
analysis, etc.  It's in English, though, or at least tries \
to be.  It's almost a short "use case". </DIV>
</div>
</div>
<div>
<div>
<DIV> \
                
</DIV>
</div>
</div>
<div>
<div>
<DIV> I'll follow with descriptions of the other profiles \
shortly. </DIV>
</div>
</div>
<div>
<div>
<DIV> \
                
</DIV>
</div>
</div>
<div>
<div>
<DIV> Your comments and suggestions welcome (at least until I \
see them ;-) </DIV>
</div>
</div>
<div>
<div>
<DIV> \
                
</DIV>
</div>
</div>
<div>
<div>
<DIV> Ed
</DIV>
</div>
</div>
<div>
<div>
<DIV> \
======================
</DIV>
</div>
</div>
<div>
<div>
<DIV> Mid-Tier Application Server
</DIV>
</div>
<div>
<DIV> This is the classic mid-tier (in a three-tier \
architecture) application server, providing processing for applications that \
generally drive against databases held on a Database server (see 2.1.1, \
above).  One or many different applications may share the same \
server, and each may have its own configuration and administration responsible \
persons.  Keeping applications from getting in each others way, whether \
through version conflicts between shared libraries and resources, crashes, \
isolation of each others configurations and data, etc. is vital to avoid having \
one poorly written or administered application from crashing the entire application \
service platform.  Separating administrative duties among the various \
application administrators is vital. </DIV>
</div>
<div>
<DIV>  
</DIV>
</div>
<div>
<DIV> Users may access the system directly or through portals \
(see 2.1.3 Edge / Public Facing servers, below).  Though \
protected by firewalls, application access protocols (SOAP, HTTP, \
RPC, DCE, etc.) may be susceptible to buffer overflow and cross-site \
scripting attacks through the firewall holes that enable access to applications. \
</DIV> </div>
<div>
<DIV>  
</DIV>
</div>
<div>
<DIV> The principle asset protected on the application server is the \
business login of the enterprise, the flow of transactions, the decisions \
that are made, the reports that are created, and the access to information \
provided.  Loss of service of an application, or more severely, \
several applications through the loss of the server, may have serious financial \
impact on an organization, though the loss of on-line sales, failure to \
respond to requests for information, increased customer, partner, or \
employee frustration, etc.  Denial of service is a serious risk. \
</DIV>
</div>
</div>
</body>
</html>
_______________________________________________
security_sig mailing list
security_sig@lists.osdl.org
http://lists.osdl.org/mailman/listinfo/security_sig
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic