Skip to content

Page121

Java

Java is an object-oriented language used not only to write applets, but also as a general-purpose programming language. Java bytecode is platform-independent: it is interpreted by the Java Virtual Machine (JVM). The JVM is available for a variety of operating systems, including Linux, FreeBSD, and Microsoft Windows.

Java applets run in a sandbox, which segregates the code from the operating system. The sandbox is designed to prevent an attacker who can compromise a java applet from accessing system files, such as the password file. Code that runs in the sandbox must be self-sufficient: it cannot rely on operating system files that exist outside the sandbox. A trusted shell is a statically compiled shell (it does not use operating system shared libraries), which can be used in sandboxes.

ActiveX

ActiveX controls are the functional equivalent of Java applets. They use digital certificates instead of a sandbox to provide security. ActiveX controls are tied more closely to the operating system, allowing functionality such as installing patches via Windows Update. Unlike Java, ActiveX is a Microsoft technology that works on Microsoft Windows operating systems only.

OWASP

The Open Web Application Security Project (OWASP, see https://www.owasp.org) represents one of the best application security resources. OWASP provides a tremendous number of free resources dedicated to improving organizations’ application security posture. One of their best-known projects is the OWASP Top 10 project, which provides consensus guidance on what are the 10 most significant application security risks. The OWASP Top 10 is available at https://owasp.org/www-project-top-ten/.

In addition to the wealth of information about application security threats, vulnerabilities, and defenses, OWASP also maintains several security tools available for free download including a leading interception proxy: ZAP, the Zed Attack Proxy.

XML

XML (Extensible Markup Language) is a markup language designed as a standard way to encode documents and data. XML is similar to, but more universal than, HTML. XML is used on the Web but is not tied to it: XML can be used to store application configuration and output from auditing tools, and has many other uses. Extensible means users may use XML to define their own data formats.

Service Oriented Architecture (SOA)

Service Oriented Architecture (SOA) attempts to reduce application architecture down to a functional unit of a service. SOA is intended to allow multiple heterogeneous applications to be consumers of services. The service can be used and reused throughout an organization rather than built within each individual application that needs the functionality offered by the service.

Services are expected to be platform independent and able to be called in a generic way not dependent upon a particular programming language. The intent is that any application may leverage the service simply by using standard means available within their programming language of choice. Services are typically published in some form of a directory that provides details about how the service can be used, and what the service provides.

Though Web services are not the only example, they are the most common example provided for the SOA model. XML or JSON (JavaScript Object Notation) is commonly used for the underlying data structures of Web services, SOAP (originally an acronym for “Simple Object Access Protocol,” but now simply “SOAP”) or REST (Representational State Transfer) provides the connectivity, and the WSDL (Web Services Description Language) provides details about how the Web services are to be invoked.

Exam Warning

Do not confuse Service Oriented Architecture (SOA) with SOAP. They are related, but different concepts: SOA may use SOAP for connectivity.