Mark Wilson I am the creator of TopXML. I am available for international and local (Australia) contracts. I am a Solution Architect/Business Analyst. I have worked in IT in several countries (NZ, Australia, South Africa, UK) building and training teams for government and very large non-governmental organizations. I am ex-Microsoft Consulting Services. I wrote the first book on Microsoft XML published in 2000 called XML Programming with VB and ASP. Most recently I have been building tools for the SEO industry. Ask me for a 37 point SEO health-checkup for your website.
Security of applications and computer systems is an issue that,
quite rightly, many IT professionals are concerned about. As
corporations have utilized technologies, such as remote access,
Java and component technologies, and infrastructural advances like
the Internet, to facilitate new ways of working, new ways of doing
business with clients, partners and suppliers, and even to create
entirely new products, services and business models, the need for
mechanisms to secure applications, networks and systems has become
more and more important.
WAP is another technology that extends the reach of
communication networks, provides new opportunities for innovative
corporations, and adds to the complexity of the environment within
which applications need to be designed, built and deployed. There
is a set of concerns over how secure WAP is as a technology, and
whether it is robust enough to implement mobile commerce
applications, and other applications with stringent security
requirements.
Before beginning this investigation of WAP security, it is worth
noting that there is no such thing as a secure system. The phrase
'secure system' means one that cannot be compromised or accessed
without authorization. Considering that hackers who set out to
compromise or penetrate systems are resourceful and always target
unexpected aspects of the systems, it would be a brave fool who
declared a system to be immune to attack. What can be said is that
a particular system meets certain predefined security criteria in
that it can withstand attacks of a known type, and is therefore
considered secure enough for its intended purpose.
If your interest in this paper is to come out with a definitive
statement as to whether WAP is 'secure' or not, you will be
disappointed. It is only feasible to make the assertion that WAP is
or is not 'secure enough' for a particular application when you
understand the security requirements of that application, the
environment in which that application is to be deployed, the
likelihood that the application will be subject to attempts to
compromise its security, and the nature of the attempts that are
likely to be made. Even then the statement is only valid until
something changes in the environment, or someone discovers a new
security exposure in the network, the environment, the technologies
used or the platform on which the application is deployed.
This paper investigates the facilities and technologies that WAP
has to offer for building and deploying secure applications. The
presentation itself draws on the WAP Security chapter of the Wrox
book "Professional WAP", and is intended to pick out some of the
highlights from the book. The presentation, and this paper, do not
necessarily provide a full treatment of the subject, or explain all
of the concepts in detail; for that information you will need to
read the book.
