Suppose I have a 'secure' environment - a few servers running operating systems hardened according to best practice, likewise for network devices, user accounts with minimal permissions and a good system for managing and monitoring them, firewalls with consistent and minimal rule sets etc.
Then I want to install a web application which has been code reviewed/pen-tested in a separate environment or context, that doesn't have any glaring weaknesses like SQL or remote code injections, XSS etc. Perhaps the review happened in a third-party suppliers test environment, likely configured completely differently to the environment i want to install it on.
What information might I gain by security testing the application once installed, configured and working in my environment, assuming I haven't done anything daft like turn off the firewalls to get it to work?
I appreciate there may not be a definitive answer as it's the unknown unknowns we're worried about. However, this question seems to come up a lot in cases where security assurance is important to the business and I was wondering if anyone could provide examples where a pretty robust application installed on a pretty robust environment had a massive security hole because of unforeseen interactions between the two.
