Security Basics mailing list archives
Re: Procedural Issues
From: WALI <hkhasgiwale () gmail com>
Date: Tue, 12 Jun 2007 23:46:48 +0400
HiComing back to this issue which is about 4 months old, I am at the verge of finalizing finer details of our SDLC lifecycle. I am stuck at one point and seek your help. I am about to deploy Visual SourceSafe as my Version Control tool.
I need to define databases, folders and rights within VSS. What should they typically be. There has to be a Configuration manager within VSS. Who shuld this be? Shahin, you wrote that there are static and dynamic versions of SoD!! Please elaborate a bit for my benefit.
Kenton, I don't have many guys on board but have just managed to higher a QA function. Can QA shift the code after UAT to production environment? What are the risks associated with doing so?
At 01:02 PM 1/9/2007 -0800, Shahin Ansari wrote:
Role Based Access Control model addresses issues like this. You may want to grant approval power to the Development team lead using a higher previlage role, and not give him freedoms like deleting files, writing, or other previlage he/she normally enjoy. This is called separation of duties, and there is static and dynamic versions of it. Hope it helps.Regards- Sean Kenton Smith <listsks () yahoo ca> wrote:Security is all about mitigating risk. You're right, there are certainly risks associated with someone from development accessing production servers, however that is less risk than having all developers with access to production environments. Some risks that might come up would be unauthorized changes to production, accidental deletion of files, access to confidential information. In our company, it is our QA manager along with the VP Development that have to sign off on the code before it moves from development to production. We also have an integration group who are the people that actually have acess to the production servers, so the QA manager doesn't actually deploy the changes to production. Our company obviously has a bigger infrastructure and because of business reasons we do it this way. However you may find that the risks are so small relative to the additional staff needed that it makes more sense to put the trust in the development team lead to work with the production servers. It's not a simple yes/no decision, it really comes down to what works best in your environment while incurring the least amount of risk.Kenton ----- Original Message ---- From: WALI To: security-basics () securityfocus com Sent: Monday, January 8, 2007 10:50:28 AM Subject: Procedural Issues In a software development environment, what risks do we have if we allowed software development team leader, access to Live production servers? Security demands that the two environments be segregated. If I segregate the two environments, who would shift the code from development to Live? --------------------------------------------------------------------------- This list is sponsored by: ByteCrusher Detect Malicious Web Content and Exploits in Real-Time. Anti-Virus engines can't detect unknown or new threats. LinkScanner can. Web surfing just became a whole lot safer. http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect --------------------------------------------------------------------------- __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com --------------------------------------------------------------------------- This list is sponsored by: ByteCrusher Detect Malicious Web Content and Exploits in Real-Time. Anti-Virus engines can't detect unknown or new threats. LinkScanner can. Web surfing just became a whole lot safer. http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect --------------------------------------------------------------------------- __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Current thread:
- Re: Procedural Issues WALI (Jun 12)
- RE: Procedural Issues Dave Lewis (Jun 13)
- Re: Procedural Issues security.xentek (Jun 13)
- <Possible follow-ups>
- Re: Procedural Issues Kurt Buff (Jun 13)
- Message not available
- Message not available
- Message not available
- Re: Procedural Issues WALI (Jun 15)
- Message not available
- RE: Procedural Issues Dave Lewis (Jun 13)