Enterprise Java applications still serve business-critical processes but are becoming vulnerable to changing security threats and regulatory demands. Traditional compliance-based security methods tend to respond to audits or attacks, instead of stopping them. This paper introduces a risk-based security architecture, which focuses on protection according to the impact of the business, the probability of the threat, and exposure. The threat modeling, dependency risk analysis, and layered security controls help organizations to minimize the attack surfaces beforehand without impacting on performance and delivery velocity. The strategy is explained with the help of real-life examples of enterprise Java to facilitate its use in practice.
Intended Audience
The audience targeted in the article is those an enterprise architect, senior Java developer, security architect, and DevSecOps teams who are required to design, modernize or secure large-scale Java applications. In recent years, there are a number of breaches of enterprises that have not been initiated by a zero-day exploit but a known vulnerability, which has not been prioritized e.g. an outdated library, an open API, or a poorly configured integration In a number of instances, the organizations were technically compliant but still exposed because of the homogenous, checklist-driven security measures that did not concentrate on the high-risk elements.
Read the original article: