Security mistakes in information system deployment projects

To secure information systems from malicious attacks have become an increasingly important task in most businesses today. A common way of approaching this problem is to think of securing systems as removing vulnerabilities in them. What defines a vulnerability is however multifaceted. Vulnerabilities are often seen as mistakes made during the development of the system and that have potentially both related exploits and patches. This type of vulnerabilities can for instance be found in databases such as the National Vulnerability Database (NVD) (NIST 2010). From a more conceptual perspective, a vulnerability could also have its root cause in mistakes performed later in the information system lifecycle. Systems may not be configured appropriately in relation to their usage and systems which lack all necessary security mechanisms may not be appropriately supported and protected by countermeasure mechanisms. Classical examples of such vulnerabilities are poorly configured firewall rules and usage of weak passwords. Of course, since the security area is (in-)famous for suffering from the weakest link syndrome, the consequences of any vulnerability could potentially be equally devastating.