p> In the world of open networks, where does flexibility end and security begin? For Java developers (and users), this question is especially relevant. According to a recent Forrester Research survey of Fortune 1000 companies, 62 percent of them already use Java and 42 percent expect that Java will play a major role in their future business activities. Security solution providers - tasked with helping those businesses define and fulfill their security needs - say that concerns about the openness of Java, especially "malicious" applets, is fast becoming their #1 security consideration. So, how secure is secure?

That depends on your definition. Currently, security needs fall into two broad areas: "should haves" and "must haves." "Must haves" are (1) organizations with a regulated or legislated responsibility to secure their information, such as government agencies, schools and medical facilities, and (2) businesses and organizations who recognize the adverse impact of a security compromise because they've already experienced it.

Most businesses operating in the cybersphere today qualify as "should haves." To varying degrees, these companies recognize the need for securing their networks, but they are conflicted by competing priorities. Securing their networks is something that they'll "get around to" after they've increased quarterly profits, reorganized the accounting system or hired more IT staff.

Regardless of your organization's function or need, the cornerstone of effective security is the design and implementation of strong security policy.

Step 1: Identification
Know your network - how it is configured, how it is used, by whom and for what purpose. This will tell you where your holes are, and the chances are high that they are there, even if you think they're not. Your goal should be a comprehensive blueprint of your network - a detailed description of the computing environments, support operations, end user support functions, monitoring systems and business management initiatives. This information is gathered through a site review that focuses on such critical issues as access controls, superuser privileges, password reviews, privacy reviews and virus detection, and should also include interviews with key individuals who are responsible for creating and enforcing the organization's security policy.

Step 2: Investment
Commit to realistic solutions. Once a determination has been made about where vulnerabilities exist - both internally and externally - a detailed assessment must be made of the costs and resources required to strengthen those weak areas. Weighing the pros and cons of all available alternatives will help you find the best solution for securing your network and, ultimately, your organization. Remember that security is more than just simply choosing a product.

Step 3: Implementation
The best-crafted plans can't protect you if all they do is sit on a shelf. In order for policies to be effective, education and training must accompany implementation to create "buy-in" and cooperation both up and down the organization tree. Every member of the organization - from the CEO to the administrative staff - should understand the implications that can result from failure to follow the established policy. Finally, a program of regular monitoring and evaluation will provide the necessary information and feedback to assess the overall effectiveness of your security program.

The Internet will be the vehicle for communications and commerce in the 21st century. Java's ability to deliver dynamic, interactive processing capabilities across the Internet, as well as its potential for on-line business-to-business communications, make it the language of choice on the Web. Therefore, it is important for Java developers to understand the security implications of Web commerce and communication from the perspective of the businesses and organizations who use it. With a better conception of how their products are employed and by whom, Java developers can play a significant role in ensuring security.