1

I just started to work on my thesis to finish my studies. However the field in which I write my thesis is pretty much new to me. I have the task to build a "Remote-Access Strategy/Architecture" to create a secure end-to-end connection.

One endpoint of the connection is BI ( meaning: numbers, web-, databaseservers, LDAP ).

The other end is supposed to be a smartphone ( iOS or Android ).


I started my research with a lot of reading regarding security standards like ISO27k, BSI Grundschutz and so on. I can't lose the feeling that those securitystandards are a bit to broad for the start of my research.

Those standards provide a great start into commercial security, but they also cover security in the form of natural disasters.

I'm searching for some security papers which show the security architecture of websites or webservices, show which technologies are in use ( SSL, DMZ, Firewalls, SSL-Termination).

My plan is to analyze those architectures and to learn from them.

Do you know any good books, studies or other security material which could give me a good start into this topic?

P.s. I know that web/webserice security doesn't cover the loss of the device ( which would probably be a big risk in a mobile environment)

theXs
  • 261
  • 2
  • 8

1 Answers1

1

It is a mistake to try to focus on one architecture that will work for everything. That just doesn't exist. The solution has to match the problem and the requirements of a particular application. So, my advice is: don't waste your time looking for a one-size-fits-all "architecture"; instead, look at some specific application's needs and seek a solution that will work well for that application.

If you want an end-to-end secure communication channel, use TLS. No fancy security architecture is needed. If that is not what you are looking for, you will probably need to edit your question to identify your requirements more clearly.

If your goal is to better understand some ways to secure web applications, then what you want is not "an architecture", but just a survey of work in this area. In that case, you should also spend some time reading OWASP's materials. You should also check out the resources linked to in Beginners materials for web security. Another tip: use the "search" bar in the upper-right of this site, and you can find a lot more information about web security.

I would not start by reading standards documents. They're probably not the best resource to start learning about this area.

P.S. I might be overly sensitive, but I have to admit I get skeptical if people get too focused on "architecture" rather than focusing on solving the problem. So, just a small suggestion: you might want to start by identifying what is the problem you want to solve. That will help you make sure you are focusing on a real problem. Then, you can ask yourself questions like: what are the security requirements? what are the resources that must be protected? what's the threat model? what are some available controls or mitigations that help address those threats?

D.W.
  • 98,420
  • 30
  • 267
  • 572