Application leaders continually bring up security as an ever increasing concern.  Unfortunately, most people don’t understand application security, confusing it with firewalls, intrusion detection systems, virtual private networks, SSL, and other infrastructure security technologies.

As Joseph Feiman so aptly puts in his Application Security in the SOA World Session, whilst these technologies are useful, they are “not sufficient for application protection.” He also points out that security is not a synonym for quality and that reusable components could be a source of reusable vulnerabilities. However, my favorite point that Joseph makes is that “you cannot secure what you don’t understand”.  To really get application security right, you need to dive into the actual application, its process flows and related data constructs. Joseph is also conducting an analyst user roundtable on Secure Application Development – What Works and What Doesn’t.