[Security_sig] Re: Draft: DCL Mid-Tier Application Server Profile description

[Ed Reed]

That should say business logic, not business login, in the 3rd paragraph.

>>>Ed Reed 04/28/05 1:57 pm >>>
Here's my first take on the description of what I mean by a Mid-Tier Application Server.  There are aspects, in this description, of environmental assumptions, security objectives, risk analysis, etc.  It's in English, though, or at least tries to be.  It's almost a short use case. 
                 
I'll follow with descriptions of the other profiles shortly. 
                 
Your comments and suggestions welcome (at least until I see them ;-) 
                 
Ed 
====================== 
Mid-Tier Application Server 
This is the classic mid-tier (in a three-tier architecture) application server, providing processing for applications that generally drive against databases held on a Database server (see 2.1.1, above).  One or many different applications may share the same server, and each may have its own configuration and administration responsible persons.  Keeping applications from getting in each others way, whether through version conflicts between shared libraries and resources, crashes, isolation of each others configurations and data, etc. is vital to avoid having one poorly written or administered application from crashing the entire application service platform.  Separating administrative duties among the various application administrators is vital. 
  
Users may access the system directly or through portals (see 2.1.3 Edge / Public Facing servers, below).  Though protected by firewalls, application access protocols (SOAP, HTTP, RPC, DCE, etc.) may be susceptible to buffer overflow and cross-site scripting attacks through the firewall holes that enable access to applications. 
  
The principle asset protected on the application server is the business login of the enterprise, the flow of transactions, the decisions that are made, the reports that are created, and the access to information provided.  Loss of service of an application, or more severely, several applications through the loss of the server, may have serious financial impact on an organization, though the loss of on-line sales, failure to respond to requests for information, increased customer, partner, or employee frustration, etc.  Denial of service is a serious risk. 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.linux-foundation.org/pipermail/security_sig/attachments/20050428/7da0ec0b/attachment-0001.htm