In this example, the hosting provider had informed the application developer that the provider would implement the Snort IDS; however, the provider had not done so by the time of the security reviewwhich was just before the go-live date. If it wasn't in place by then, there was a very good chance that it wouldn't have been in place when the application went live. The moral is that, while we'd like to believe what hosting providers tell us, "the proof is in the pudding," as my tenth-grade English teacher used to say. We need to push our providers on these points, ensuring that hosting providers deploy the security measures they promise.
Even if you have just a little time left before deployment, you can still take steps to improve security. This approach isn't idealsecurity should be built in from the beginningbut conducting a security assessment at any point offers some value. In this instance, the client was able to push the hosting provider to install an intrusion-detection system with specific rules meeting the client's needs, as another layer of defense against the identified vulnerabilities.
One final comment on security: To become accepted and integrated, cyber security cannot remain an obstacle to business operations. It needs to be a means of enabling the operations of a business. It's security's roleand the role of the security officerto find a way to allow operations to go forward, and even to streamline operations in a way that allows them to be safe.