Re: Procedural Issues

["security.xentek" <eric () xentek net>]

Only have your production team move the code - QA and Developers are  
poor choices for this, imho.

Also, I would not go with VSS. I prefer Subversion, but VSS has very  
poor performance, especially over VPN type connections. Since it is  
basically an 'intranet' type of applicaiton, you have to be on the  
same network as it to get to its repository databases. It has a  
proprietary database, that I've found is prone to crashing. Its  
permissions are basically Read or Read/Write, as far as its users are  
concerned. But you also need to think about the location of the repos  
dbs, as your Windows Domain accts will need to be able to have the  
same access set up on that end. It has an admin interface, but  
basically all it is a single password that protects each repository,  
and that password basically just lets you add/edit/remove Users to  
that repository.

Subversion can be configured with much more granular control,  
including over individual files and directories, can be configured to  
talk over HTTPS (which keeps you from having to do VPN, etc. to get  
to it), can have web interfaces built on top of it, has better  
logging than VSS, and is FAST even when checking in and out multi- 
megabytes of data. It has a great Windows client (TortoiseSVN.net),  
good documentation, and is a great free choice (runs under windows or  
linux) that should suit most needs in a Version Control System. Check  
it out here: http://subversion.tigris.org/



+       eric m.
+       http://xentek.net
+ + + + + + + + + + + + + +


"Security is mostly a superstition. It does not exist in nature, nor  
do the children of men as a whole experience it. Avoiding danger is  
no safer in the long run than outright exposure. Life is either a  
daring adventure or nothing." - Helen Keller


On Jun 12, 2007, at 7:24 PM, Dave Lewis wrote:

> We chose AccuRev over VSS for productivity reasons which greatly
> outweighed the cost. Support has been great and implementation went  
> very
> smooth.
>
>
> Dave Lewis
> IT Manager
> Security Connections, Inc.
> www.security-connect.com
>
>
>
> -----Original Message-----
> From: listbounce () securityfocus com  
> [mailto:listbounce () securityfocus com]
> On Behalf Of WALI
> Sent: Tuesday, June 12, 2007 1:47 PM
> To: Shahin Ansari; Kenton Smith; security-basics () securityfocus com
> Subject: Re: Procedural Issues
>
> Hi
>
> Coming back to this issue which is about 4 months old, I am at the  
> verge
> of
> finalizing finer details of our SDLC lifecycle.
> I am stuck at one point and seek your help. I am about to deploy  
> Visual
> SourceSafe as my Version Control tool.
>
> I need to define databases, folders and rights within VSS. What should
> they
> typically be. There has to be a Configuration manager within VSS. Who
> shuld
> this be?
> Shahin, you wrote that there are static and dynamic versions of SoD!!
> Please elaborate a bit for my benefit.
>
> Kenton, I don't have many guys on board but have just managed to  
> higher
> a
> QA function. Can QA shift the code after UAT to production  
> environment?
> What are the risks associated with doing so?
>
>
> At 01:02 PM 1/9/2007 -0800, Shahin Ansari wrote:
> > Role Based Access Control model addresses issues like this.  You may
> want
> > to grant approval power to the Development team lead using a higher
> > previlage role, and not give him freedoms like deleting files,  
> > writing,
> or
> > other previlage he/she normally enjoy.  This is called separation of
> > duties, and there is static and dynamic versions of it.  Hope it  
> > helps.
> > Regards-
> > Sean
> >
> > Kenton Smith <listsks () yahoo ca> wrote:
> > Security is all about mitigating risk. You're right, there are
> certainly
> > risks associated with someone from development accessing production
> > servers, however that is less risk than having all developers with
> access
> > to production environments. Some risks that might come up would be
> > unauthorized changes to production, accidental deletion of files,
> access
> > to confidential information.
> > In our company, it is our QA manager along with the VP Development  
> > that
>
> > have to sign off on the code before it moves from development to
> > production. We also have an integration group who are the people that
> > actually have acess to the production servers, so the QA manager
> doesn't
> > actually deploy the changes to production. Our company obviously  
> > has a
> > bigger infrastructure and because of business reasons we do it this
> way.
> > However you may find that the risks are so small relative to the
> > additional staff needed that it makes more sense to put the trust in
> the
> > development team lead to work with the production servers.
> > It's not a simple yes/no decision, it really comes down to what works
> best
> > in your environment while incurring the least amount of risk.
> >
> > Kenton
> >
> > ----- Original Message ----
> > From: WALI
> > To: security-basics () securityfocus com
> > Sent: Monday, January 8, 2007 10:50:28 AM
> > Subject: Procedural Issues
> >
> > In a software development environment, what risks do we have if we
> allowed
> > software development team leader, access to Live production servers?
> >
> > Security demands that the two environments be segregated.
> >
> > If I segregate the two environments, who would shift the code from
> > development to Live?
> >
> >
> >
> > --------------------------------------------------------------------- 
> > --
> ----
> > This list is sponsored by: ByteCrusher
> >
> > Detect Malicious Web Content and Exploits in Real-Time.
> > Anti-Virus engines can't detect unknown or new threats.
> > LinkScanner can. Web surfing just became a whole lot safer.
> >
> > http://www.explabs.com/staging/promotions/xern_lspro.asp? 
> > loc=sfmaildete
> ct
> > --------------------------------------------------------------------- 
> > --
> ----
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam? Yahoo! Mail has the best spam protection around
> > http://mail.yahoo.com
> >
> > --------------------------------------------------------------------- 
> > --
> ----
> > This list is sponsored by: ByteCrusher
> >
> > Detect Malicious Web Content and Exploits in Real-Time.
> > Anti-Virus engines can't detect unknown or new threats.
> > LinkScanner can. Web surfing just became a whole lot safer.
> >
> > http://www.explabs.com/staging/promotions/xern_lspro.asp? 
> > loc=sfmaildete
> ct
> > --------------------------------------------------------------------- 
> > --
> ----
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam? Yahoo! Mail has the best spam protection around
> > http://mail.yahoo.com