Re: Installation and setup of secure applications

[carolyn.ryll () philips com]

I believe here is where we actually start to see a distinction between 
*product* security and *application* security. For instance, if the 
developers are producing an application such that it will reside on the 
product (I.e., embedded) before it leaves the door to go to the customer, 
then full integration with the OS can be seen as acceptable because the 
application is one part of a whole - integrated into the device. In this 
case, developers' hands-on configuration, or at least help within the 
configuration stage, on the device should be seen as necessary. This is 
because they have full knowledge of what they produced in conjunction with 
the workings of the rest of the system.

In application security (versus product security), we are producing 
applications that will most likely reside on systems that are configured 
in any number of ways. That is, dependency on the OS will not produce 
dependable results. If we produce an application that will work on any 
version of Windows, we are still producing an application that will work 
on different operating systems (as not all Windows OS demonstrate the same 
security vulnerabilities each time). Hence, what we are producing in pure 
application security cannot really be seen as one part of a whole, but as 
a layer on top of the underlying functionality (as opposed to product 
security, where the application is intwined with the remainder of the 
system). It would also not be possible in many to most cases to have the 
developer take part of the configuration in this case, due to the mass 
number of consumers that may utilize the application.

Of course there may be arguments against this viewpoint, as exceptions to 
these scenarios always exist.

Kind regards,
Carolyn Ryll, CISSP
Product Security Specialist

*Opinions stated above are my own, and not that of any particular 
organization, unless so noted.