Commercial off-the-shelf (COTS) software companies have developed applications in every conceivable nook and cranny to digitize and automate processes, storing the lifeblood of the organization in a database and making it accessible through a GUI front end. Increasingly, these types of applications are web-based, migrating IT back to the thin application environment of the 1980s. Because these applications are the window to the very information that keeps organizations alive, it is essential that they be protected with every tool in the infosec arsenal. Unfortunately, the monotonous “features now, security later” adage still rules.
Consider a new application deployment at ACME Corporation, a medium-sized, industry-generic company computerizing a key business process for reporting and efficiency purposes. ACME might take the following approach to the project:
1) ACME management initiates the project and issues a request for proposals (RFP) to select a vendor.
2) After choosing the vendor and signing a contract, ACME assembles the internal implementation resources to work with the vendor. The team consists of a system administrator, a database administrator, a network administrator, a project manager, and a business representative.
3) The project team engages the vendor to gather first steps and schedule an implementation date. A checklist of installation steps may be provided. Most often, a vendor-supplied service professional will be on-site for the installation.
4) During an installation phase, test and production servers are configured, the application is installed and configured for ACME’s unique business needs, and data is scanned from paper into the application’s database.
5) The application is tested and accepted by the business representative.
6) End users are trained, and the application is promoted to production.
7) The maintenance and support phase begins.