Prior to release 10.0, the Visual COBOL and Enterprise Server products supported application security, but did not enable most security features by default. In particular, users were not required to authenticate to Enterprise Server components such as ESCWA, or to be authorized to use various product features.
A growing consensus in the information-technology industry sector is that software security should be enabled by default. It is increasingly proving to be dangerous to deploy software systems without adequate security mechanisms. Government regulators and industry standards bodies are imposing more security requirements for both developing and deploying software.
Security is a particularly pressing concern for a software system like ESCWA which exists to enable creating and executing custom programs, often remotely. A compromised enterprise server instance can often be used to do anything permitted by the operating system. Enterprise Server also has many features, which means it has a large attack surface.
Some people might believe that as long as production systems are secured, it is less important to secure developer systems. Unfortunately, developer systems are a highly desirable target for attackers. Since developers are creating software that will be used either internally or by customers of the organization, an attacker might use a compromised developer system to spread malware within the company and/or to its customers. Developer systems have tools which are useful for advanced attacks such as living off the land, in which no malware files need to be installed by the attacker, which makes detection more difficult and creating backdoors in other systems for persistent access to organizational systems. Developers often work with elevated permissions, giving attackers more leverage, and have access to other prized targets such as CI/CD systems.
For all these reasons, Micro Focus has elected to enable a basic security configuration for Enterprise Server upon product installation, so it is secured as soon as it is installed. This security configuration can be removed or replaced, of course, but Micro Focus strongly recommends that you use the product security features in both development and production environments.