When addressing the topic of security in the IT world, the first thing to do is define what the term "security" means and how customers as well as colleagues interpret it. If we were to ask politicians, security basically comes down to surveillance. And, of course, monitoring servers and infrastructure is a vital component, yet getting an alarm shows only one thing—that an attack has happened (and most likely was successful). Any type of surveillance or monitoring, by its very nature, triggers the alert but has no means to actually protect against it or the flaw in the application that made it possible. By this definition, monitoring is only one of many elements in a holistic security concept.

If we ask administrative IT staff what security means for them, the answer most probably goes in the direction of user accounting and permissions. It also covers the requirement to disable and remove unneeded services—so-called "hardening"—as well as applying strict firewall rules. Again, these answers are correct. But as already identified with surveillance, a secure infrastructure is not enough. Of course, it is of vital importance that the application, once developed, is executed in an environment that is trusted and relied upon. But even the best web application can't be secure if the database it ...