Security Basics mailing list archives
RE: Procedural Issues
From: "Dave Lewis" <dlewis () security-connect com>
Date: Tue, 12 Jun 2007 17:24:55 -0600
We chose AccuRev over VSS for productivity reasons which greatly outweighed the cost. Support has been great and implementation went very smooth. Dave Lewis IT Manager Security Connections, Inc. www.security-connect.com -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of WALI Sent: Tuesday, June 12, 2007 1:47 PM To: Shahin Ansari; Kenton Smith; security-basics () securityfocus com Subject: Re: Procedural Issues Hi Coming back to this issue which is about 4 months old, I am at the verge of finalizing finer details of our SDLC lifecycle. I am stuck at one point and seek your help. I am about to deploy Visual SourceSafe as my Version Control tool. I need to define databases, folders and rights within VSS. What should they typically be. There has to be a Configuration manager within VSS. Who shuld this be? Shahin, you wrote that there are static and dynamic versions of SoD!! Please elaborate a bit for my benefit. Kenton, I don't have many guys on board but have just managed to higher a QA function. Can QA shift the code after UAT to production environment? What are the risks associated with doing so? At 01:02 PM 1/9/2007 -0800, Shahin Ansari wrote:
Role Based Access Control model addresses issues like this. You may
want
to grant approval power to the Development team lead using a higher previlage role, and not give him freedoms like deleting files, writing,
or
other previlage he/she normally enjoy. This is called separation of duties, and there is static and dynamic versions of it. Hope it helps. Regards- Sean Kenton Smith <listsks () yahoo ca> wrote: Security is all about mitigating risk. You're right, there are
certainly
risks associated with someone from development accessing production servers, however that is less risk than having all developers with
access
to production environments. Some risks that might come up would be unauthorized changes to production, accidental deletion of files,
access
to confidential information. In our company, it is our QA manager along with the VP Development that
have to sign off on the code before it moves from development to production. We also have an integration group who are the people that actually have acess to the production servers, so the QA manager
doesn't
actually deploy the changes to production. Our company obviously has a bigger infrastructure and because of business reasons we do it this
way.
However you may find that the risks are so small relative to the additional staff needed that it makes more sense to put the trust in
the
development team lead to work with the production servers. It's not a simple yes/no decision, it really comes down to what works
best
in your environment while incurring the least amount of risk. Kenton ----- Original Message ---- From: WALI To: security-basics () securityfocus com Sent: Monday, January 8, 2007 10:50:28 AM Subject: Procedural Issues In a software development environment, what risks do we have if we
allowed
software development team leader, access to Live production servers? Security demands that the two environments be segregated. If I segregate the two environments, who would shift the code from development to Live? -----------------------------------------------------------------------
----
This list is sponsored by: ByteCrusher Detect Malicious Web Content and Exploits in Real-Time. Anti-Virus engines can't detect unknown or new threats. LinkScanner can. Web surfing just became a whole lot safer. http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildete
ct
-----------------------------------------------------------------------
----
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -----------------------------------------------------------------------
----
This list is sponsored by: ByteCrusher Detect Malicious Web Content and Exploits in Real-Time. Anti-Virus engines can't detect unknown or new threats. LinkScanner can. Web surfing just became a whole lot safer. http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildete
ct
-----------------------------------------------------------------------
----
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Current thread:
- Re: Procedural Issues WALI (Jun 12)
- RE: Procedural Issues Dave Lewis (Jun 13)
- Re: Procedural Issues security.xentek (Jun 13)
- <Possible follow-ups>
- Re: Procedural Issues Kurt Buff (Jun 13)
- Message not available
- Message not available
- Message not available
- Re: Procedural Issues WALI (Jun 15)
- Message not available
- RE: Procedural Issues Dave Lewis (Jun 13)