I am of the opinion that it is a software company’s responsibility to engineer applications in a way that accommodates organizations who follow best practices. The term “best practice” can of course be discrepant depending on what specifically is being argued as ‘best practice’. However, something like allowing end-users administrative access to their machines is inarguably not a best practice. We have hundreds of software applications in our organization, and none of them have the requirement to first launch as an administrator, or product support teams who recommend making end-users administrators, or running batch scripts with hard coded credentials as a way to rectify inefficient software design.

Sage’s software applications should be engineered in a way which does not unfairly penalize organizations who follow best practices. Delegating administrative privileges to end-users is not best practice as it poses a security risk.

Both of the solutions proposed by the Sage support representative represent large security vulnerabilities and deviate from best practice, but more importantly require unjustified engineering labor from our team.

I'm particularly concerned that this has been accepted by customers as a viable deployment practice. Completing a first launch as an administrator is the most concerning of several additional unjustified deployment methodologies.

None of these points have been met with a rebuttal by Sage, and I am consistently told "...this is just how it is", with no explanation or justification.

I'm open minded to the idea of it being justified to delegate excessive engineering resources in our organization for application deployment, but I have been met with no logical justification for doing such.

Please challenge or affirm this idea.

Comments

  • I completely agree with this as well. Businesses that are trying to comply with PCI rules battle with this type of deployment methodology.