# What is Security & Compliance?
**Security & Compliance** refers to the principles, processes, and controls used to **protect systems, applications, and data**, while ensuring they operate in accordance with **organizational policies, legal requirements, and industry standards**.
In the context of web and enterprise applications, security is fundamentally about **protecting assets**, such as:
* Web applications
* Business processes
* Customer data stored in databases
* System configurations and credentials
As systems grow more interconnected, security becomes a **risk‑management discipline**, where potential threats are identified, evaluated, and mitigated using appropriate countermeasures.
Compliance complements security by ensuring that these controls align with **regulatory, contractual, and organizational obligations**.
***
### Foundations of Security
Security is built on several core concepts that collectively protect systems and data. These concepts are fundamental across all security architectures.
***
#### Authentication — *“Who are you?”*
Authentication is the process of **verifying the identity** of a client interacting with an application.
Authenticated identities (also called *principals*) may include:
* End users
* Services and APIs
* System processes
* Machines or applications
Authentication typically uses credentials such as usernames/passwords, tokens, certificates, or other identity mechanisms.
***
#### Authorization — *“What can you do?”*
Authorization determines **which resources and operations** an authenticated identity is allowed to access.
Examples of protected resources:
* Files and directories
* Databases, tables, or records
* APIs and services
* Application configuration
Authorization rules define access for operations such as:
* Create, Read, Update, Delete (CRUD)
* Execute actions or workflows
***
#### Auditing & Logging
Auditing records **who performed which actions and when**.\
It is essential for:
* Accountability
* Incident investigation
* Regulatory compliance
* Non‑repudiation (preventing denial of actions)
Effective logging provides forensic evidence when analyzing security incidents.
***
#### Confidentiality
Confidentiality ensures that **data remains private** and is accessible only to authorized entities.
Common confidentiality mechanisms include:
* Encryption (for data in transit and at rest)
* Access control lists (ACLs)
* Secure communication protocols (HTTPS/TLS)
***
#### Integrity
Integrity guarantees that data:
* Is not altered accidentally
* Is not modified maliciously
For data in transit, integrity is commonly enforced through:
* Hashing
* Message Authentication Codes (MACs)
* Digital signatures
***
#### Availability
Availability ensures that **systems remain accessible** to authorized users when required.
Threats to availability include:
* Denial‑of‑Service (DoS) attacks
* Resource exhaustion
* Infrastructure failure
Security controls must therefore balance protection with system performance and resilience.
***
### How to Build a Secure Web Application
A secure application cannot be built effectively without **understanding its threats**.\
A key discipline recommended during the design phase is **Threat Modeling**.
#### Threat Modeling
Threat modeling involves:
* Analyzing application architecture
* Identifying attack surfaces
* Understanding how attackers might exploit weaknesses
The goal is to proactively **identify vulnerabilities** and address them during design rather than after deployment.
***
#### Secure‑by‑Design Approach
Security should be applied as a **multi‑layered strategy**, not as a single control.\
A secure application is achieved by applying security principles across three layers:
***
### Securing the Network Layer
The **network layer** is the first line of defense.
Network security responsibilities include:
* Filtering traffic
* Blocking unnecessary ports and protocols
* Protecting administrative interfaces
#### Network Component Categories
| Component | Role |
| --------- | ------------------------------------------------------- |
| Router | Filters and directs traffic; blocks many TCP/IP threats |
| Firewall | Restricts ports, protocols, and malicious traffic |
| Switch | Segments the network to limit attack spread |
Security threats known at the network layer should be mitigated **at that layer**, not deferred to the application.
***
### Securing the Host Layer
The **host layer** includes:
* Web servers
* Application servers
* Database servers
Host security focuses on secure configuration and reducing attack surface.
#### Host Configuration Categories
| Category | Description |
| ------------------- | ----------------------------------------- |
| Patches & Updates | Fix known vulnerabilities |
| Services | Disable unnecessary services |
| Protocols | Remove unused network protocols |
| Accounts | Restrict and secure user/service accounts |
| Files & Directories | Enforce restricted permissions |
| Shares | Remove or secure file shares |
| Ports | Audit and limit open ports |
| Auditing & Logging | Detect and investigate intrusions |
| Registry | Protect system configuration |
***
### Securing the Application Layer
Many attacks target applications directly via HTTP.\
Therefore, application‑level security is critical.
#### Application Vulnerability Categories
| Category | Description |
| ------------------------ | ---------------------------------- |
| Input Validation | Prevent dangerous input |
| Authentication | Verify user identity |
| Authorization | Enforce access control |
| Configuration Management | Secure operational settings |
| Sensitive Data | Protect critical information |
| Session Management | Secure user sessions |
| Cryptography | Ensure confidentiality & integrity |
| Parameter Manipulation | Protect request parameters |
| Exception Management | Avoid leaking sensitive details |
| Auditing & Logging | Record security‑relevant events |
***
### Summary
Modern attacks often bypass network defenses and target applications directly using HTTP.\
Relying solely on firewalls or host security is **not sufficient**.
Effective **Security & Compliance** requires:
* A layered approach
* Secure network, host, and application design
* Secure coding practices
* Continuous auditing and monitoring
By applying proven security principles across all layers, applications can remain **secure, resilient, and compliant** throughout their lifecycle.
***
### References
1. Microsoft Patterns & Practices – *Web Application Security Fundamentals*, Network Component Categories\
2. Microsoft Patterns & Practices – *Web Application Security Fundamentals*, Host Configuration Categories\
3. Microsoft Patterns & Practices – *Web Application Security Fundamentals*, Application Vulnerability Categories\
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.onewebstack.com/oneweb-platform-th/building-apps/security-and-compliance/what-is-security-and-compliance.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
