Re: Procedural Issues

[Kenton Smith <listsks () yahoo ca>]

Security is all about mitigating risk. You're right, there are certainly risks associated with someone from development 
accessing production servers, however that is less risk than having all developers with access to production 
environments. Some risks that might come up would be unauthorized changes to production, accidental deletion of files, 
access to confidential information.
In our company, it is our QA manager along with the VP Development that have to sign off on the code before it moves 
from development to production. We also have an integration group who are the people that actually have acess to the 
production servers, so the QA manager doesn't actually deploy the changes to production. Our company obviously has a 
bigger infrastructure and because of business reasons we do it this way. However you may find that the risks are so 
small relative to the additional staff needed that it makes more sense to put the trust in the development team lead to 
work with the production servers.
It's not a simple yes/no decision, it really comes down to what works best in your environment while incurring the 
least amount of risk.

Kenton

----- Original Message ----
From: WALI <hkhasgiwale () gmail com>
To: security-basics () securityfocus com
Sent: Monday, January 8, 2007 10:50:28 AM
Subject: Procedural Issues

In a software development environment, what risks do we have if we allowed 
software development team leader, access to Live production servers?

Security demands that the two environments be segregated.

If I segregate the two environments, who would shift the code from 
development to Live?


---------------------------------------------------------------------------
This list is sponsored by: ByteCrusher

Detect Malicious Web Content and Exploits in Real-Time.
Anti-Virus engines can't detect unknown or new threats.
LinkScanner can. Web surfing just became a whole lot safer.

http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect
---------------------------------------------------------------------------





__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

---------------------------------------------------------------------------
This list is sponsored by: ByteCrusher

Detect Malicious Web Content and Exploits in Real-Time.
Anti-Virus engines can't detect unknown or new threats.
LinkScanner can. Web surfing just became a whole lot safer.

http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect
---------------------------------------------------------------------------