Security Basics mailing list archives
RE: Product Development and security in the enterprise
From: "Richard Rees" <richard.rees () ins com>
Date: Fri, 7 Nov 2003 14:11:34 -0600
In most of the software development environments I have seen that focus on security, there are larger issues at play than the patching of the QA servers. First of all, there is ownership. Who owns your QA boxes? It should be the same team that is responsible for your production systems, typically the sysadmin team. That way, you can be sure that your development and QA environments accurately reflect production platforms. For example, if the production environment is set to autoupdate, the other environments should as well. If an OS patch breaks code in the development environment, what's the point of testing it or promoting it to production. Second, we have isolation. Absolutely have your sys admin team isolate the QA and development environments from the rest of the network. In fact, placing an internal firewall there that requires authentication (as opposed to letting a range of IPs in) would be the way to go. You then have a record of who did what when, including patching, testing, checking out of code, etc. that you can cross-reference with system logs and version control software. Going forward, of course, we have secure programming and development practices, which I won't expound upon here. I understand the value of a consistent platform for development, however it should consistently mirror production to avoid wasting time. Have your sysadmin keep a log of the updates that are made to the production environment and ensure they are applied to the other environments at the same time using the same methodology. If he's changing the production environment, what's the value of having a development environment that doesn't reflect production? Richard Rees, CISSP Principal Consultant, International Network Services Voice: 847.756.4072 Mobile: 847.650.0335 Email: richard.rees () ins com "The consultants that go to eleven" -----Original Message----- From: Smith, KC [mailto:ksmith () systemsalliance com] Sent: Friday, November 07, 2003 11:23 AM To: security-basics () securityfocus com Subject: Product Development and security in the enterprise All, Any advice from the collective wisdom of the list would be greatly appreciated. I manage a software development group that includes development staff, QA and the help desk. In the current network configuration all desktops and servers are in the same subnet. Our sys admin has recently installed and configured MS Auto Update Server and wants to force all machines to update automatically. While I support this type of solution for distribution of critical patches to the enterprise, I have a problem with my QA and dev machines being changed out from underneath us. I'm less concerned with the development machines, but the QA machines have established baselines when it comes to installed software, including patches. I've suggested creating a network architecture that would allow my QA boxes to remain pristine while allowing all other machines in the enterprise to be updated. How do other organizations handle this? Can a screened subnet of some sort be used to isolate the QA machines? Any other thoughts? Thanks in advance KC Smith --------------------------------------------------------------------------- Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE The Presidio integrates PGP data encryption and XML Web Services security to simplify the management and deployment of PGP and reduce overall PGP costs by up to 80%. FREE WHITEPAPER & 30 Day Trial - http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE The Presidio integrates PGP data encryption and XML Web Services security to simplify the management and deployment of PGP and reduce overall PGP costs by up to 80%. FREE WHITEPAPER & 30 Day Trial - http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 ----------------------------------------------------------------------------
Current thread:
- Product Development and security in the enterprise Smith, KC (Nov 07)
- RE: Product Development and security in the enterprise Richard Rees (Nov 07)