Enterprise-Wide Systems Development Security ◾ 111
© 2011 by Taylor & Francis Group, LLC
Users are also prone to opening or installing les sent to them via applications
like instant messenger systems or e-mail, which can lead to even further risks.
External applications fall into two major groups: commercial software and
shareware/freeware software. For this purpose, commercial software includes open-
source initiative software. Both commercial and open-source initiative software
have risks, but if the software is from a legitimate company, it usually has the
advantage of a manufacturer that is interested in security testing its software and
improving its security via updates or patches.
Shareware/freeware tends to be a complete unknown. Some shareware/freeware
is very well written, but some is not suitable for any kind of secure environment.
Security in this area may be somewhat light overall because the risks are not
judged to be high enough to justify the high cost of a very controlled environment
and attempting to enforce that control on all users.
Some of the important questions to ask about external software coexisting with
the project are as follows:
◾ What policies are in place governing what software users are allowed to
download and install, and how are those policies enforced?
◾ What policies are in place governing what commercial software users are
required to have installed, and how are those policies enforced?
◾ What policies are in place governing updating and patching commercial soft-
ware, and how are those policies enforced?
◾ What policies are in place governing whether users can exchange les with
external sources, and how are those policies enforced?
◾ What policies are in place governing scanning of systems and servers for
security risks and issues and reporting those issues to determine what action
should be taken?
◾ Do external applications have to pass any acceptance or approval process, and
who is responsible for running this process and what are its criteria?
◾ What logging is in place to record what software each system is running, and
what process is in place to audit those logs?
Internal Applications
Internal applications can be almost as much of a risk to security as external
applications. is is due, in part, to the still prevalent misconception that inter-
nal applications have no or little need to be secure as they are in use only within
the company.
Unfortunately, this is not at all the case. ere are numerous cases of internal
abuse of systems and data when security is not adequate for the potential risks.
In the case of very high-risk applications or data with which your project will
directly interact or coexist, you may want to do some further investigation. Some
simple research may give you information on how security was addressed when the