One of the most interesting aspects of being an information security consultant is the exposure to an enormous variety of industries and organizations. From health care to governments, nonprofits to small private companies and more, the consultant must be versed in dozens of technologies, regulations, and business practices in order to be effective. Today, any security consultant worth his salt recognizes at least one common security weakness across the board: vendor-developed applications, often industry specific, are the Pandora’s Box of the information security program.

Commercial off-the-shelf (COTS) software companies have developed applications in every conceivable nook and cranny to digitize and automate processes, storing the lifeblood of the organization in a database and making it accessible through a GUI front end. Increasingly, these types of applications are web-based, migrating IT back to the thin application environment of the 1980s. Because these applications are the window to the very information that keeps organizations alive, it is essential that they be protected with every tool in the infosec arsenal. Unfortunately, the monotonous “features now, security later” adage still rules.

Consider a new application deployment at ACME Corporation, a medium-sized, industry-generic company computerizing a key business process for reporting and efficiency purposes. ACME might take the following approach to the project:

1) ACME management initiates the project and issues a request for proposals (RFP) to select a vendor.
2) After choosing the vendor and signing a contract, ACME assembles the internal implementation resources to work with the vendor. The team consists of a system administrator, a database administrator, a network administrator, a project manager, and a business representative.

3) The project team engages the vendor to gather first steps and schedule an implementation date. A checklist of installation steps may be provided. Most often, a vendor-supplied service professional will be on-site for the installation.
4) During an installation phase, test and production servers are configured, the application is installed and configured for ACME’s unique business needs, and data is scanned from paper into the application’s database.
5) The application is tested and accepted by the business representative.
6) End users are trained, and the application is promoted to production.
7) The maintenance and support phase begins.