Which of the following statements best describes the ideal role of an application owner with
respect to defining application security?
A.
The application owner must become knowledgeable about security risks, threats,
classifications, and policies in order to define security requirements for his or her applications. The
more on owner learns about security, the more secure his or her applications will become.
B.
The application owner should hire a security expert to define security requirements for his or
herapplications, based on current Industry best practices. Actively implementing the latest trends
will best ensure a secure application environment.
C.
The application owner should recommend adherence to common established practices for
assessments, classifications, architecture, and policies that have been defined, and are actively
maintained, by security experts across the organization. Deviations may be necessary,
butapplication owners should strive to be consistent with best practices that have been adopted by
the organization.
D.
The application owner, whenever possible, should elect to deploy applications into a public
cloud computing environment. Doing so effectivelydelegatesresponsibility and accountability of
concerns to another company. The owner doesn’t need to be concerned with security as long as
the cloud provider has been certified.
Explanation:
Application ownership can have an effect on application security. Ownership, in this
sense, refers to the person, department, or organization that has authority over the
security protections and processes that are followed.
Owners have a role in expressing policy. They may choose to set strict policies and
follow best practices and reference architectures. Or, they may choose to be lax on
security and/or set their own standards. Ideally, an enterprise-class security
architecture and processes are developed by pooling industry best practices and ideas,
and all applications follow a common strategy without being compromised by
ownership issues.
Reference: Oracle Reference Architecture,Security, Release 3.1