The objective of the policy is to give a list of general security
considerations while designing the software, it could make a
distinction between web and client/server applications, there will be
lower level documents that will go into specific technology
implementations like .net or j2ee, pointing to security best practices
released by the vendors, there will also be a section regarding
architecture specific considerations, one example is user profiling
for web applications, we are currently designing a centralized
directory service, the policy will recommend that where possible, for
user profiling you must use this system... it will also give some
advice on stuff like data design, example is separating the data that
is used just by the application from the actual data that is
sensitive, and requires a higher level of protection.
Thanks Shawn
On Mon, 21 Feb 2005 23:04:38 -0800 (PST), udayan pathak
<udayan_pathak@yahoo.com> wrote:
Hi Shawn
Could you be a bit more specific about your question.
The applications being developed are they big enough
to involve concepts of Enterprise architecture?
The policy you are trying to develop is that a high
level policy or a more hands-on lower level policy
specific to the apllication?
Udayan
--- "i.matilde@gmail.com" <i.matilde@gmail.com> wrote:
I need to develop a policy that will list security
requirements for
new applications developed internally or by
contractors, general
specifications like validate input ecc...., I am
looking for some good
resources on the subject, any recommendations?
Best Regards,
Shawn
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
