RE: Product Development and security in the enterprise

["Richard Rees" <richard.rees () ins com>]

In most of the software development environments I have seen that focus on
security, there are larger issues at play than the patching of the QA
servers.

First of all, there is ownership.  Who owns your QA boxes?  It should be the
same team that is responsible for your production systems, typically the
sysadmin team.  That way, you can be sure that your development and QA
environments accurately reflect production platforms.  For example, if the
production environment is set to autoupdate, the other environments should
as well.  If an OS patch breaks code in the development environment, what's
the point of testing it or promoting it to production.

Second, we have isolation.  Absolutely have your sys admin team isolate the
QA and development environments from the rest of the network.  In fact,
placing an internal firewall there that requires authentication (as opposed
to letting a range of IPs in) would be the way to go.  You then have a
record of who did what when, including patching, testing, checking out of
code, etc. that you can cross-reference with system logs and version control
software.

Going forward, of course, we have secure programming and development
practices, which I won't expound upon here.  I understand the value of a
consistent platform for development, however it should consistently mirror
production to avoid wasting time.  Have your sysadmin keep a log of the
updates that are made to the production environment and ensure they are
applied to the other environments at the same time using the same
methodology.  If he's changing the production environment, what's the value
of having a development environment that doesn't reflect production?

Richard Rees, CISSP
Principal Consultant, International Network Services
Voice:  847.756.4072
Mobile:  847.650.0335
Email:   richard.rees () ins com
"The consultants that go to eleven"


-----Original Message-----
From: Smith, KC [mailto:ksmith () systemsalliance com] 
Sent: Friday, November 07, 2003 11:23 AM
To: security-basics () securityfocus com
Subject: Product Development and security in the enterprise

All,

Any advice from the collective wisdom of the list would be greatly
appreciated.

I manage a software development group that includes development staff,
QA and the help desk.

In the current network configuration all desktops and servers are in the
same subnet.  

Our sys admin has recently installed and configured MS Auto Update
Server and wants to force all machines to update automatically.

While I support this type of solution for distribution of critical
patches to the enterprise, I have a problem with my QA and dev machines
being changed out from underneath us.

I'm less concerned with the development machines, but the QA machines
have established baselines when it comes to installed software,
including patches.

I've suggested creating a network architecture that would allow my QA
boxes to remain pristine while allowing all other machines in the
enterprise to be updated.

How do other organizations handle this?

Can a screened subnet of some sort be used to isolate the QA machines?

Any other thoughts?

Thanks in advance
KC Smith

---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security to

simplify the management and deployment of PGP and reduce overall PGP costs 
by up to 80%.
FREE WHITEPAPER & 30 Day Trial - 
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 
----------------------------------------------------------------------------


---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security to
simplify the management and deployment of PGP and reduce overall PGP costs
by up to 80%.
FREE WHITEPAPER & 30 Day Trial -
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027
----------------------------------------------------------------------------