Skip repetitive navigation links.
United States Department of AgricultureFarm Services AgencySystem Development Life Cycle (SDLC)
Go to SDLC Home Go to SDLC Home Go to About SDLC Go to News Go to Help Go to Contact Us
Search FSA
Go To Advanced Search
Go To Search Tips
FSA Enterprise Architecture
Go to EA Overview
Go to Enterprise Architecture Program
Go to Enterprise Architecture
Go to FSA Infrastructure
FSA SDLC
Go to SDLC Overview
Go to Background
Go to Development Process
Go to Quick Start Guide
Go to FSA Quality Assurance & Control Process
Go to Project Management Process
Go to Configuration and Change Management
Mainframe & System 36 SDLC
Browse by Subject
Go to Developer Tools Overview
Go to Architectural Decisions/Waivers
Go to FSA Assets and Shared Services
Go to Approved Software
Go to Templates and Documents
Go to Information Bulletins & Memos
Browse by Subject
Go to Learning Overview
Go to Training Schedule

You are here:  SDLC Home / Development Process / Detailed Design / Application Security
Development Process

Application Security

 

 
Designing, building and deploying secure web applications requires a multi-level, multi-discipline approach. It is not sufficient for an application to simply be locked down via a firewall to the USDA trusted network. Most application attacks are committed by internal users that already have access to the application. It is therefore critical that applications be designed and built in such a way as to deter/prevent such attacks.

 
The following Enterprise Security principles should be considered while designing an application:

 
Authentication - Addresses the question: who are you? It is the process of uniquely identifying the clients of your applications and services. These might be end users, other services, processes, or computers. In our environment this is handled by eAuth.

 
Confidentiality - Also referred to as privacy. The process of making sure data remains private and confidential, and that it cannot be viewed by unauthorized users or eavesdroppers who monitor the flow of traffic across a network. Encryption is frequently used to enforce confidentiality.

 
Integrity - The guarantee that data is protected from accidental or deliberate (malicious) modification. Like privacy, integrity is a key concern, particularly for data passed across networks. Assure that all data and applications can be trusted for use.

 
For more information see the Logging and Handling of Data Extracts of Sensitive Information and Personally Identifiable Information memo.

 
Availability - From a security perspective, availability means that systems remain available for legitimate users. The goal for many attackers with denial of service attacks is to crash an application or to make sure it is sufficiently overwhelmed so other users cannot access the application.

 
Some of the general vulnerabilities are:

 

 
Web Service Security: Web services can have many of the same vulnerabilities as user servicing applications. The same standards also apply to web service; however, web services are not secured behind eAuth. Instead, an XML Gateway product will be used to provide authentication and authorization of the web service. The XML Gateway will secure requests that originate outside of the FSA web farm. Web service should never be deployed in the same .ear file as a client service application.

Last Modified: 12/07/10 8:55:32 AM


SDLC Home | FSA Home | USDA.gov | Common Questions | Site Map | Policies and Links
FOIA | Accessibility Statement | Privacy Policy | Nondiscrimination Statement | Information Quality | USA.gov | White House