RE: Procedural Issues

["Dave Lewis" <dlewis () security-connect com>]

We chose AccuRev over VSS for productivity reasons which greatly
outweighed the cost. Support has been great and implementation went very
smooth.


Dave Lewis
IT Manager
Security Connections, Inc.
www.security-connect.com



-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of WALI
Sent: Tuesday, June 12, 2007 1:47 PM
To: Shahin Ansari; Kenton Smith; security-basics () securityfocus com
Subject: Re: Procedural Issues

Hi

Coming back to this issue which is about 4 months old, I am at the verge
of 
finalizing finer details of our SDLC lifecycle.
I am stuck at one point and seek your help. I am about to deploy Visual 
SourceSafe as my Version Control tool.

I need to define databases, folders and rights within VSS. What should
they 
typically be. There has to be a Configuration manager within VSS. Who
shuld 
this be?
Shahin, you wrote that there are static and dynamic versions of SoD!! 
Please elaborate a bit for my benefit.

Kenton, I don't have many guys on board but have just managed to higher
a 
QA function. Can QA shift the code after UAT to production environment? 
What are the risks associated with doing so?


At 01:02 PM 1/9/2007 -0800, Shahin Ansari wrote:
> Role Based Access Control model addresses issues like this.  You may
want 
> to grant approval power to the Development team lead using a higher 
> previlage role, and not give him freedoms like deleting files, writing,
or 
> other previlage he/she normally enjoy.  This is called separation of 
> duties, and there is static and dynamic versions of it.  Hope it helps.
> Regards-
> Sean
>
> Kenton Smith <listsks () yahoo ca> wrote:
> Security is all about mitigating risk. You're right, there are
certainly 
> risks associated with someone from development accessing production 
> servers, however that is less risk than having all developers with
access 
> to production environments. Some risks that might come up would be 
> unauthorized changes to production, accidental deletion of files,
access 
> to confidential information.
> In our company, it is our QA manager along with the VP Development that

> have to sign off on the code before it moves from development to 
> production. We also have an integration group who are the people that 
> actually have acess to the production servers, so the QA manager
doesn't 
> actually deploy the changes to production. Our company obviously has a 
> bigger infrastructure and because of business reasons we do it this
way. 
> However you may find that the risks are so small relative to the 
> additional staff needed that it makes more sense to put the trust in
the 
> development team lead to work with the production servers.
> It's not a simple yes/no decision, it really comes down to what works
best 
> in your environment while incurring the least amount of risk.
>
> Kenton
>
> ----- Original Message ----
> From: WALI
> To: security-basics () securityfocus com
> Sent: Monday, January 8, 2007 10:50:28 AM
> Subject: Procedural Issues
>
> In a software development environment, what risks do we have if we
allowed
> software development team leader, access to Live production servers?
>
> Security demands that the two environments be segregated.
>
> If I segregate the two environments, who would shift the code from
> development to Live?
>
>
>
> -----------------------------------------------------------------------
----
> This list is sponsored by: ByteCrusher
>
> Detect Malicious Web Content and Exploits in Real-Time.
> Anti-Virus engines can't detect unknown or new threats.
> LinkScanner can. Web surfing just became a whole lot safer.
>
> http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildete
ct
> -----------------------------------------------------------------------
----
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
> -----------------------------------------------------------------------
----
> This list is sponsored by: ByteCrusher
>
> Detect Malicious Web Content and Exploits in Real-Time.
> Anti-Virus engines can't detect unknown or new threats.
> LinkScanner can. Web surfing just became a whole lot safer.
>
> http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildete
ct
> -----------------------------------------------------------------------
----
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com