To avoid a range of potential problems when implementing an application, it's a great idea to be proactive and evaluate the security of an application before it's purchased or written. A key aspect of this process is to talk to vendors at length about their products so that you can do a thorough evaluation of them and make solid recommendations to the potential application owners as to which product would be the best from a network configuration and security standpoint. The trick is knowing what information to get from the vendors and how to get it.
Software Evaluation Checklist
Many people who work in information security are involved in the process of choosing enterprise software solutions. When you are talking with software vendors or application developers, you might be unsure what questions you should be asking. Following is a list of questions that can help you evaluate the security of application architectures. Besides these general questions, ask specific questions related to your environment and security policy:
Sources of Application Information
It's often helpful to test a working demo copy of the product. Sometimes this is not possible due to the complexity of the application, but in some cases it's trivial. If possible, install a demo of the product and look at its behavior. Another option is to talk to other organizations running the software to find out what problems they have encountered involving security or application architecture. This can give you a different point of view and provide valuable information that you cannot find elsewhere.
When you are attempting to evaluate the security of a product that you don't have access to, you have to rely primarily on the vendor for information. Don't be afraid to ask detailed technical questions and demand specific answers, preferably in writing. Don't settle for a general assurance that an application will work in any environment, because this simply isn't true. Every environment is different, and vendors certainly can't be expected to create a product that is going to work in each one. In addition, look for other sources of information on the security of the productreviews, security advisories, and the like.
How to Handle an Unsecurable Application
At times, an application's characteristics are such that you feel it cannot be deployed with sufficient security in your environment, or it clearly violates your organization's security policy. You have a few options at this point: replacing the application, modifying it, or deploying it with less than ideal security. In the latter case, you and the application owners will need to discuss the severity of the security issues and the risks of deploying the application.
If the application owners are considering replacing or changing the application, they need to consider the time and resources necessary to make that happen. Of course, they should also consider security more strongly during product selection or modification so that other security or network problems do not occur again.