• The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
Menu
  • The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
  • Reckless or Riskless: Another IBM i App Dev Expert Talks Security

    February 7, 2018 Dan Burger

    Security at the application level was the topic of an article in the Monday edition of The Four Hundred. Subject matter experts Brendan Kay, Alex Roytman, Robin Tatam, and Jon Paris provided insights and advice on the topic, which should be part of every organization’s overall security strategy. An additional perspective, which just missed the deadline for the Monday story, is being added today. It comes from Paul Tuohy, who lives eight time zones east of me, making the deadline I gave him a wee bit tight.

    Although this contribution stands on its own, when added to the insights published Monday, we believe the awareness of this topic certainly benefits from the comments made by all five experts.


    Paul Tuohy
    App Dev Expert
    ComCon and System i Developer

    Historically, application security was menu security. The thought process was that the only access to the data is through the programs; the only access to the programs is through the menus; so, secure the menus and you have secured the application.

    Of course, this changed (a long, long time ago) with the introduction of tools such as Query/400 and data transfer that allowed users to go straight to the data.

    Unfortunately, a lot of developers still think of security as something relating to menus. There is also the (mostly false) perception that security gets in the way of development.

    In reality, after a security policy has been put in place for an application, it has little or no impact on the day-to-day work of the developer of modern applications. Modern applications are tiered applications. This means security considerations are applicable in very specific places. This is very different from traditional monolithic programs that did everything and the same logic was applied in multiple programs.

    A security policy provides the rules that programmers must follow when writing certain types of programs/procedures (database access for instance). This is not unique to security. Most shops have programming standards that range from coding styles to how to handle record locking. Security is one more standard to apply.

    It’s an important requirement that checks are being made to ensure standards (security or otherwise) are being maintained. This can be done through code reviews and/or exit programs in a change management system that will validate code as it is being checked in.

    The key is that the security policy has to be in place and all developers need to understand it and the confines they are working under.

    The IBM i offers a plethora of security options and means of implementing security–from the generic library security, through adopted authority, to the granular row/column authority in the database. At the outset, someone must determine the best use of these application security tools. Developers then develop to that design. For instance, if row/column security is being implemented, developers must be aware that their programs may have to handle corresponding security violations.

    Of course, a modern system (the more modern the better) makes it easier it is to implement a security policy. A modern application would have a single database layer, which means only one place where security has to be implemented. Compare that to historical applications where a table may be accessed in multiple programs and secured in each program. This is why I say modern design architecture lends itself to easy security implementation, but is has to be part of the design.

    Developers should be aware of security pitfalls and those dangers should be part of the security policy. SQL injection attacks are one of the items a programmer might need to keep in mind.

    In a nutshell, security is part of the design of the application. Standards determine how the security considerations are implemented in the code and developers code to those standards. Adherence to the standards should be part of the application security process

    But the best security application level is one that requires the minimum of dependence on the developers. I am a developer – and I don’t trust them!

    Reader feedback on these insights can be emailed to IT Jungle.

    RELATED STORIES

    Reckless or Riskless: IBM i App Dev Experts Talk Security

    Testing For Security Inadequacies

    Developers Can Improve Security and Reduce the Administrative Cost of Security

    IBM i 7.3: High Time For High Security

    IBM i 7.2 Tightens Data Access And Security

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Tags: Tags: application security, IBM i

    Sponsored by
    LaserVault

    Integrate Virtual Tape to Automate Your Backups And Strengthen Your Ability To Recover From Cyber Attacks And Disasters

    With most IT departments stretched thin, finding something that can quickly free up IT time is definitely a bonus. That’s why it’s important to stop and take a look at integrating virtual tape into your backup and recovery. Virtual tape is one of those technologies where once you have it, you’ll wonder why you didn’t do it sooner. See a demo and get a $50 gift card.

    But what is it about using virtual tape that makes it so worthwhile? Why is it that so many IBM i shops are already using or considering using virtual tape for all or part of their backup and recovery systems?

    Virtual tape and virtual tape libraries offer a way to both simplify and strengthen backup and recovery operations. By incorporating virtual tape technology, automation of backups becomes possible resulting in hundreds of hours saved annually for IT departments and personnel.

    “We needed to find a replacement that would lower the maintenance cost and reduce complexity of our backup and recovery functions without a major disruption to our operations.” David Fray, Director of Enterprise Systems, ABC Financial

    LaserVault ViTL is a virtual tape and tape library solution developed specifically for use with IBM Power Systems (from AS/400 to iSeries to Power 9s). With ViTL you can:

    • Replace physical tape and tape libraries and eliminate associated delays
    • Automate backup operations, including the ability to purge or archive backups
    • Remotely manage your backups – no need to be onsite with your server
    • Save backups to a dedupe appliance and the cloud
    • Recover your data at lightspeed greatly improving your ability to recover from cyberattacks
    • And so much more

    Sign-up now to see a ViTL online demo and get a $50 Amazon e-gift card when the demo is complete as our way of saying thanks for your time. Plus when you sign-up you’ll receive a free facts comparison sheet on using virtual tape vs tape so you can compare the functionality for yourself.

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Four Hundred Monitor, February 7 Does IBM i Need Independent Security Vendors?

    Leave a Reply Cancel reply

TFH Volume: 28 Issue: 10

This Issue Sponsored By

  • UCG TECHNOLOGIES
  • Rocket Software
  • T.L. Ashford
  • Profound Logic Software
  • WorksRight Software

Table of Contents

  • IBM Power Champions: Showing Passion For The Platform
  • Does IBM i Need Independent Security Vendors?
  • Reckless or Riskless: Another IBM i App Dev Expert Talks Security
  • Four Hundred Monitor, February 7
  • IBM i PTF Guide, Volume 20, Number 5

Content archive

  • The Four Hundred
  • Four Hundred Stuff
  • Four Hundred Guru

Recent Posts

  • IBM Mulls Using DataMigrator as Cloud Warehouse Pipeline
  • PowerTech AV Automatically Detects Ransomware Activity
  • Infor Puts CM3 Project On Hold
  • Four Hundred Monitor, June 29
  • IBM i PTF Guide, Volume 24, Number 26
  • Guild Mortgage Takes The 20-Year Option For Modernization
  • IBM i Licensing, Part 3: Can The Hardware Bundle Be Cheaper Than A Smartphone?
  • Guru: The Finer Points of Exit Points
  • Big Blue Tweaks IBM i Pricing Ahead Of Subscription Model
  • We Still Want IBM i On The Impending Power E1050

Subscribe

To get news from IT Jungle sent to your inbox every week, subscribe to our newsletter.

Pages

  • About Us
  • Contact
  • Contributors
  • Four Hundred Monitor
  • IBM i PTF Guide
  • Media Kit
  • Subscribe

Search

Copyright © 2022 IT Jungle

loading Cancel
Post was not sent - check your email addresses!
Email check failed, please try again
Sorry, your blog cannot share posts by email.