• The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
Menu
  • The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
  • Reckless or Riskless: Another IBM i App Dev Expert Talks Security

    February 7, 2018 Dan Burger

    Security at the application level was the topic of an article in the Monday edition of The Four Hundred. Subject matter experts Brendan Kay, Alex Roytman, Robin Tatam, and Jon Paris provided insights and advice on the topic, which should be part of every organization’s overall security strategy. An additional perspective, which just missed the deadline for the Monday story, is being added today. It comes from Paul Tuohy, who lives eight time zones east of me, making the deadline I gave him a wee bit tight.

    Although this contribution stands on its own, when added to the insights published Monday, we believe the awareness of this topic certainly benefits from the comments made by all five experts.


    Paul Tuohy
    App Dev Expert
    ComCon and System i Developer

    Historically, application security was menu security. The thought process was that the only access to the data is through the programs; the only access to the programs is through the menus; so, secure the menus and you have secured the application.

    Of course, this changed (a long, long time ago) with the introduction of tools such as Query/400 and data transfer that allowed users to go straight to the data.

    Unfortunately, a lot of developers still think of security as something relating to menus. There is also the (mostly false) perception that security gets in the way of development.

    In reality, after a security policy has been put in place for an application, it has little or no impact on the day-to-day work of the developer of modern applications. Modern applications are tiered applications. This means security considerations are applicable in very specific places. This is very different from traditional monolithic programs that did everything and the same logic was applied in multiple programs.

    A security policy provides the rules that programmers must follow when writing certain types of programs/procedures (database access for instance). This is not unique to security. Most shops have programming standards that range from coding styles to how to handle record locking. Security is one more standard to apply.

    It’s an important requirement that checks are being made to ensure standards (security or otherwise) are being maintained. This can be done through code reviews and/or exit programs in a change management system that will validate code as it is being checked in.

    The key is that the security policy has to be in place and all developers need to understand it and the confines they are working under.

    The IBM i offers a plethora of security options and means of implementing security–from the generic library security, through adopted authority, to the granular row/column authority in the database. At the outset, someone must determine the best use of these application security tools. Developers then develop to that design. For instance, if row/column security is being implemented, developers must be aware that their programs may have to handle corresponding security violations.

    Of course, a modern system (the more modern the better) makes it easier it is to implement a security policy. A modern application would have a single database layer, which means only one place where security has to be implemented. Compare that to historical applications where a table may be accessed in multiple programs and secured in each program. This is why I say modern design architecture lends itself to easy security implementation, but is has to be part of the design.

    Developers should be aware of security pitfalls and those dangers should be part of the security policy. SQL injection attacks are one of the items a programmer might need to keep in mind.

    In a nutshell, security is part of the design of the application. Standards determine how the security considerations are implemented in the code and developers code to those standards. Adherence to the standards should be part of the application security process

    But the best security application level is one that requires the minimum of dependence on the developers. I am a developer – and I don’t trust them!

    Reader feedback on these insights can be emailed to IT Jungle.

    RELATED STORIES

    Reckless or Riskless: IBM i App Dev Experts Talk Security

    Testing For Security Inadequacies

    Developers Can Improve Security and Reduce the Administrative Cost of Security

    IBM i 7.3: High Time For High Security

    IBM i 7.2 Tightens Data Access And Security

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Tags: Tags: application security, IBM i

    Sponsored by
    Raz-Lee Security

    With COVID-19 wreaking havoc, cybercriminals are taking advantage of the global impact that it has had on our families, our businesses and our societies. It is more important now than ever to ensure that IT systems are protected, so that when all of this is behind us, we can get back to business as usual as quickly as possible.

    iSecurity Anti-Ransomware protects organizations against ransomware attacks and other kinds of malware that may access and change business-critical data on your IBM i. It even protects against zero-day attacks. Anti-Viruses can only report on the damage an attack has caused, but not stop it.

    iSecurity Anti-Ransomware has been recently enhanced with a Self-Test feature that allows you to simulate a ransomware attack on your IBM i. The simulated attack is limited to the test folder and cannot harm any other folders or files. This new feature lets organizations see how they are protected against known or unknown ransomware.

    Key Features:

    • Real-time scanning for known and unknown ransomware threats.
    • Blocks and disconnects the intruder.
    • Instantaneously sends alerts to SIEM as well as the offending computer.
    • Self-Test for attack simulation
    • Classification of the attack based on log.
    • Automatic updates with the most current ransomware definitions.

    Contact us at https://www.razlee.com/anti-ransomware

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Four Hundred Monitor, February 7 Does IBM i Need Independent Security Vendors?

    Leave a Reply Cancel reply

TFH Volume: 28 Issue: 10

This Issue Sponsored By

  • UCG TECHNOLOGIES
  • Rocket Software
  • T.L. Ashford
  • Profound Logic Software
  • WorksRight Software

Table of Contents

  • IBM Power Champions: Showing Passion For The Platform
  • Does IBM i Need Independent Security Vendors?
  • Reckless or Riskless: Another IBM i App Dev Expert Talks Security
  • Four Hundred Monitor, February 7
  • IBM i PTF Guide, Volume 20, Number 5

Content archive

  • The Four Hundred
  • Four Hundred Stuff
  • Four Hundred Guru

Recent Posts

  • The Cloud’s Future Is So Bright, So Why Are You So Glum?
  • Most App Modernization Projects a Struggle, Survey Finds
  • COMMON Launches IBM i Security Conference
  • Four Hundred Monitor, August 17
  • A Slew Of Add-On Services For Power10 Systems
  • Power10 Midrange Machine: The Power E1050
  • IBM Puts The Finishing Touches On PowerHA For IBM i 7.5
  • Guru: Regular Expressions, Part 2
  • Get Your Security Education, And Not From The School Of Hard Knocks
  • IBM i PTF Guide, Volume 24, Number 33

Subscribe

To get news from IT Jungle sent to your inbox every week, subscribe to our newsletter.

Pages

  • About Us
  • Contact
  • Contributors
  • Four Hundred Monitor
  • IBM i PTF Guide
  • Media Kit
  • Subscribe

Search

Copyright © 2022 IT Jungle

loading Cancel
Post was not sent - check your email addresses!
Email check failed, please try again
Sorry, your blog cannot share posts by email.