Installation and setup of secure applications

["Jean-Francois Poirier" <jeff () horslimites org>]

> How much involvement do you believe that software developers should have
> in
> installing and configuring their applications in their host environments?

  I would say definitely enormous.  If developers are not actually
installing the software themselves (as is the case sometimes in smaller
custom development projects), they should at least be part of the
setup/installation design phase -- as much in the case of an
off-the-shelf installer package as in a broader, multi-component
installation.

Mainly because as the original authors, they can discuss with the
implementation/installation team the various issues that they suspect will
be encountered.

Being a software developer in no way excuses one from being aware of the
target environments and the conditions in which the application will run,
on the contrary.  I believe that any software developer who does claim
such a thing is simply being careless and not as interested as he should
be.

Although it might be more difficult accomplish in very large scale
projects where getting all the developers involved in the deployment
planning would turn out to be a mess.  I still believe at least some part
of the development group has to be involved in installation/deployment.


> Should applications be designed and implemented such that they make
> extensive
> use of their host OS security features?  Note that I'm not saying that
> they
> should _rely_ on it, but should the developers make more use of the
> capabilities available to them (sometimes at the cost of easy portability)
> as
> one of many layers of defense?  If so, how much is {enough|too much}?

  I can see this becoming problematic for applications where the actual
user base is not tied to the OS/environment user base.  Tying user
authentication to operating system-level authentication could probably
induce a whole set of headaches at implementation time, should the
application's user base be unrelated to the operating system's user
base.

Take for example web site security as implemented by Internet Information
Server.  In order to lock down areas of a web site, locks are implemented
based on NTFS file-level permissions.  Which implies that for every such
user, a corresponding user must be created as part of the operation system
users.

This can lead, in a badly setup environment, to an actual security breach,
and more worries for the IT personnel overseeing the system than, say,
Apache's system, in which usernames and passwords combination that
restrict access to various sections of a website are stored encrypted in
designated protected files.

So I would state that application-level user authentication and network or
operating system authentication are often separate, and for a good reason;
if the user bases do not match, forcing them to match by tying the
application and the OS can become a security liability, not an
improvement.


jean-francois poirier