Installation and setup of secure applications

["Kenneth R. van Wyk" <Ken () KRvW com>]

All the talk last week here and elsewhere about Personal Firewall Day got me 
thinking about one of my personal soap boxes -- application installation and 
setup.

After years of seeing countless examples of inadequately installed and 
configured applications, I became convinced that we don't pay enough 
attention to this phase of developing secure software, by and large anyway.  
Plus, I am fully aware that many people don't even agree that this is part of 
software development per se.

What I've seen includes applications installed such that their security is 
entirely internal to the application.  For example, access control in 
databases, account management, etc., that is handled exclusively by the 
application.  Most OSes and file systems have access control and/or event 
logging features that are never tapped by application developers and 
installers -- e.g., NTFS can do Access Control Lists (ACL) and can do 
read/write event logging down to individual files, folders, and even registry 
keys.  Yet, very few applications make use of these features.  Sure, there 
are exceptions that are more closely integrated into their host OS, but they 
seem to me to be few and far between.  More often than not, I hear things 
like "Oh, that's not my job as a developer." and  "We have an operations team 
that takes care of that."

So, my questions here to SC-L are: 

How much involvement do you believe that software developers should have in 
installing and configuring their applications in their host environments?

Should applications be designed and implemented such that they make extensive 
use of their host OS security features?  Note that I'm not saying that they 
should _rely_ on it, but should the developers make more use of the 
capabilities available to them (sometimes at the cost of easy portability) as 
one of many layers of defense?  If so, how much is {enough|too much}?

Cheers,

Ken van Wyk