At the beginning of this chapter, we proclaimed boldly that the security of an application is inextricably bound to the secure configuration and operation of the environment in which the application will reside. Yet, in discussions about developing secure software, these operations factors are rarely, if ever, considered. In fact, when we started writing this book, we also considered these issues to be outside its scope. As we progressed and our collaboration efforts continued, however, we became convinced that it was essential to include them. We had simply seen too many cases of companies making major mistakes in setting up their business-critical applications and suffering the consequences!
In this chapter, we showed that properly setting up an operational environment for a typical business application requires both a good amount of planning and a solid attention to detail when executing those plans. It's likely that you undertook a similar level of effort in designing and implementing your application securely. Great! Now, don't neglect this last step in ensuring that your application as a whole can run as securely as it ought to. If your application is important enough to warrant the time and effort you've spent thus far, it ought to be important enough to ensure that it runs in an equivalently secure operational environment.
Why do so many companies make seemingly simple mistakes in deploying their applications securely? There are many factors. We don't doubt, for example, that almost all companies view application development and production data center operations as two completely separate disciplines. This makes for very difficult interdisciplinary coordination of the security attributes of an application. The solution to this situation will vary from one organization to the next, and it will seldom be easy. We recommend beginning with a strong business-focused application team that oversees all aspects of any business application. That team's focus on security issues should span the entire lifecycle and must include the kinds of operations factors we outlined in this chapter.