Security Basics mailing list archives
Re: Procedural Issues
From: "security.xentek" <eric () xentek net>
Date: Wed, 13 Jun 2007 18:27:43 -0400
Only have your production team move the code - QA and Developers are poor choices for this, imho.
Also, I would not go with VSS. I prefer Subversion, but VSS has very poor performance, especially over VPN type connections. Since it is basically an 'intranet' type of applicaiton, you have to be on the same network as it to get to its repository databases. It has a proprietary database, that I've found is prone to crashing. Its permissions are basically Read or Read/Write, as far as its users are concerned. But you also need to think about the location of the repos dbs, as your Windows Domain accts will need to be able to have the same access set up on that end. It has an admin interface, but basically all it is a single password that protects each repository, and that password basically just lets you add/edit/remove Users to that repository.
Subversion can be configured with much more granular control, including over individual files and directories, can be configured to talk over HTTPS (which keeps you from having to do VPN, etc. to get to it), can have web interfaces built on top of it, has better logging than VSS, and is FAST even when checking in and out multi- megabytes of data. It has a great Windows client (TortoiseSVN.net), good documentation, and is a great free choice (runs under windows or linux) that should suit most needs in a Version Control System. Check it out here: http://subversion.tigris.org/
+ eric m. + http://xentek.net + + + + + + + + + + + + + +"Security is mostly a superstition. It does not exist in nature, nor do the children of men as a whole experience it. Avoiding danger is no safer in the long run than outright exposure. Life is either a daring adventure or nothing." - Helen Keller
On Jun 12, 2007, at 7:24 PM, Dave Lewis wrote:
We chose AccuRev over VSS for productivity reasons which greatlyoutweighed the cost. Support has been great and implementation went verysmooth. Dave Lewis IT Manager Security Connections, Inc. www.security-connect.com -----Original Message-----From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]On Behalf Of WALI Sent: Tuesday, June 12, 2007 1:47 PM To: Shahin Ansari; Kenton Smith; security-basics () securityfocus com Subject: Re: Procedural Issues HiComing back to this issue which is about 4 months old, I am at the vergeof finalizing finer details of our SDLC lifecycle.I am stuck at one point and seek your help. I am about to deploy VisualSourceSafe as my Version Control tool. I need to define databases, folders and rights within VSS. What should they typically be. There has to be a Configuration manager within VSS. Who shuld this be? Shahin, you wrote that there are static and dynamic versions of SoD!! Please elaborate a bit for my benefit.Kenton, I don't have many guys on board but have just managed to higheraQA function. Can QA shift the code after UAT to production environment?What are the risks associated with doing so? At 01:02 PM 1/9/2007 -0800, Shahin Ansari wrote:Role Based Access Control model addresses issues like this. You maywantto grant approval power to the Development team lead using a higherprevilage role, and not give him freedoms like deleting files, writing,orother previlage he/she normally enjoy. This is called separation ofduties, and there is static and dynamic versions of it. Hope it helps.Regards- Sean Kenton Smith <listsks () yahoo ca> wrote: Security is all about mitigating risk. You're right, there arecertainlyrisks associated with someone from development accessing production servers, however that is less risk than having all developers withaccessto production environments. Some risks that might come up would be unauthorized changes to production, accidental deletion of files,accessto confidential information.In our company, it is our QA manager along with the VP Development thathave to sign off on the code before it moves from development to production. We also have an integration group who are the people that actually have acess to the production servers, so the QA managerdoesn'tactually deploy the changes to production. Our company obviously has abigger infrastructure and because of business reasons we do it thisway.However you may find that the risks are so small relative to the additional staff needed that it makes more sense to put the trust inthedevelopment team lead to work with the production servers. It's not a simple yes/no decision, it really comes down to what worksbestin your environment while incurring the least amount of risk. Kenton ----- Original Message ---- From: WALI To: security-basics () securityfocus com Sent: Monday, January 8, 2007 10:50:28 AM Subject: Procedural Issues In a software development environment, what risks do we have if weallowedsoftware development team leader, access to Live production servers? Security demands that the two environments be segregated. If I segregate the two environments, who would shift the code from development to Live?--------------------------------------------------------------------- ------This list is sponsored by: ByteCrusher Detect Malicious Web Content and Exploits in Real-Time. Anti-Virus engines can't detect unknown or new threats. LinkScanner can. Web surfing just became a whole lot safer.http://www.explabs.com/staging/promotions/xern_lspro.asp? loc=sfmaildetect--------------------------------------------------------------------- ------__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com--------------------------------------------------------------------- ------This list is sponsored by: ByteCrusher Detect Malicious Web Content and Exploits in Real-Time. Anti-Virus engines can't detect unknown or new threats. LinkScanner can. Web surfing just became a whole lot safer.http://www.explabs.com/staging/promotions/xern_lspro.asp? loc=sfmaildetect--------------------------------------------------------------------- ------__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Current thread:
- Re: Procedural Issues WALI (Jun 12)
- RE: Procedural Issues Dave Lewis (Jun 13)
- Re: Procedural Issues security.xentek (Jun 13)
- <Possible follow-ups>
- Re: Procedural Issues Kurt Buff (Jun 13)
- Message not available
- Message not available
- Message not available
- Re: Procedural Issues WALI (Jun 15)
- Message not available
- RE: Procedural Issues Dave Lewis (Jun 13)