Most IT professionals can be divided into two categories: supporting roles (IT) or programmers (IS). Let's take a moment to focus on their viewpoints and concerns:
IT Supporting Roles These individuals include help desk, user support, server administrators, and network administration. Their scope of influence is on purchasing, installing, and supporting off-the-shelf products. Therefore, the solutions they propose may follow a specific vendor's product line rather than consider other options. In the media business,99 percent of all solutions will be based on using Apple computers because of the well-known advantages in the complex media production workflow. Generally, Microsoft users work in an office environment, where productivity is based on a simpler workflow of independent tasks: email, word processing, spreadsheets, and less-sophisticated presentations such as PowerPoint. Whether it's Apple or Microsoft Windows users, we are usually referring to commercial off-the-shelf software.
The IT viewpoint of system security is limited to functions such as enabling/disabling settings, running system scanners (antivirus, port, or services analyzer), loading vendor patches, making data backups, and following physical security procedures. IT support systems are primarily geared toward detecting attacks through "known" system vulnerabilities. Utterly rare is any defense in place against attacks on middleware. Middleware is every program or driver existing between the user interface and their data. Actually changing a complete series of default settings when installing programs is extremely rare by IT staff for fear of creating support headaches. IT people almost never run the custom installation nor should the auditor expect IT operations to delete unnecessary lines of program code from an open source software package. The highest security impact rests on the programmers.
IS Programmers Programmers actually decide on the security architecture while designing and writing the software application. This applies to both end-user applications as well as to operating systems. Building in-depth security can be a real pain to developers because the user may never even see it. For programmers, the security is predicated on the services and protocols they choose to use, port numbers, add-in functions by embedding smaller programs, and logic procedures. Advanced yet required security functions such as encrypted databases are dependent on complex key management, often requiring skills beyond the typical programmer.
Today the vast majority of breaches occur through exploiting design faults in software applications. Common hacker targets include embedded login ID with passwords stored in scripts for the programs to interact with other programs. These new attacks against overlooked or ignored program weaknesses are referred to as zero-day attacks because they use specialized types of circumvention not previously known to IT support staff.