It is no secret that Internet and corporate intranet usage has exploded over the past few years and continues to grow rapidly. People have become very comfortable with many services offered on the World Wide Web (or simply “Web”) such as electronic mail, online shopping, gathering news and information, listening to music, viewing video clips, looking for jobs, and so forth. To keep pace with the growing demand for Internet-based services, there has been tremendous growth in Web based computer systems/applications hosting Websites, providing backend services for those sites, and storing data associated with those sites.
As Internet and intranet usage continues to grow, so does the number and severity of security-related attacks on applications such as those that operate over the Internet and intranets. Public interest in security centered on privacy as it relates to financial transactions and identity protection, and the rapid spread of computer viruses compromising data integrity, has increased pressure to make these applications and operating systems for executing these applications more secure.
Today, application developers typically see the development of any security aspects of an application as an afterthought. Perhaps this is because the networking industries have grown so fast that everyone's focus has been simply to keep up with the exploding demand by building additional applications. In this environment, security is generally considered to be technology that has no business value, but rather, considered to be technology that enables business processes. (E.g., adding open database connectivity (ODBC) to a computer program in itself adds no value to a business, but applications using ODBC do provide business value). Thus, developers often consider adding security features to computer program applications as unnecessary work that offers no significant financial return. Consequently, not much thought has gone into how to model security into distributed applications.
At best, security features are generally retrofitted into an application after all of the business value functionality has been completed or at least substantially completed. The downside with such traditional procedures to retrofit application security is that such solutions typically result in ad-hoc security solutions that are not only difficult to integrate into an application's framework, but that also may not be adequately integrated into the framework to mitigate substantially all of the real security threats to which the application may be exposed.
Accordingly, the following subject matter addresses these and other problems of conventional techniques to provide security to computer program applications only after the fundamental design and implementation of the computer program application has already taken place.