RE: Procedural Issues



Thanks Vic

That was quite explanatory

I was wondering if http://bazaar-vcs.org/ is a good free cvs system? Do you have any other GPL Open Source in mind. Our core development is largely on ASP/ASP.net or D2K though I don't think it matters when it comes to choosing a CVS repository server.

Instead of installing a CVS repository, I create an FTP folder on production and give dumping rights to QA. QA create an EXE from the code that has undergone User Acceptance testing and Operations guy then picks up this EXE from FTP folder and pushes it into the folder where the executable should reside.

FTP log is also maintained

Would this be acceptable to auditors? Is there a risk in this?

1.The ability to make undetected (unauthorized) changes to production.
2.The ability to introduce security or financial reporting holes into production (fraud or access) with unauthorized code changes.
3.Disrupt business operations due to lack of proper QA (Change Control).

Moving code from dev to prod should include an intermediary QA process by which someone other than the developer reviews and tests the code for bugs or impact to production. Only code that has been subjected to such a review should be implemented by operational teams. Such code can be released by a release controller (QA Lead) to operations or by operations checking out approved code from a CVS repository.

Typically operational personnel are not developers and do not have the same capability to modify code (as a developer does). However, operational personnel should generate unique audit trails and not be a part of the formal code review process (although they may perform their own testing of a new release to obtain a level of comfort new code won't break things).

If you have one person writing code, one person performing QA and one person deploying it - statistically speaking, the likelihood of fraud occuring where all 3 have to participate in the fraud is much less than one person performing all 3 functions.

Obviously the effort should be proportional the size of the team and the operation and the risk associated with the particular code. Practically speaking, it is usually the rush to release code that breaks operational systems (change control). A formal release process that includes a QA process can help prevent that by introducting basic sanity checks into the release process.

I have heard auditors argue that a lack of segregation of duties presents an "unbounded risk" or one that cannot be adequtely measured. Even a simple setup of segregation of duties can save you hours of open-ended discussion with auditors.
</opinion>



In a software development environment, what risks do we have if we allowed software development team leader, access to Live production servers?

Security demands that the two environments be segregated.

If I segregate the two environments, who would shift the code from development to Live?


---------------------------------------------------------------------------
This list is sponsored by: ByteCrusher

Detect Malicious Web Content and Exploits in Real-Time.
Anti-Virus engines can't detect unknown or new threats.
LinkScanner can. Web surfing just became a whole lot safer.

http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect
---------------------------------------------------------------------------



---------------------------------------------------------------------------
This list is sponsored by: ByteCrusher

Detect Malicious Web Content and Exploits in Real-Time.
Anti-Virus engines can't detect unknown or new threats.
LinkScanner can. Web surfing just became a whole lot safer.

http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect
---------------------------------------------------------------------------



Relevant Pages

  • RE: [PHP] Re: An appeal to your better nature
    ... good IT professionals work on dev servers and migrate to test, ... I use CVS all the way from dev to production with staging in between ...
    (php.general)
  • Re: Use of CVS
    ... CVS committed and the production ... ass with CVS though. ... In the "feature branch" model, you branch early, and develop features ... the "promotion" model of feature branches though. ...
    (freebsd-questions)
  • Re: Generic Development/Production Question
    ... +1 for CVS, or better yet, Subversion. ... If you need to change production code, ... We can't roll out our development code as ... the local folder, rebuild and pray that paths don't cross. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: something suddenly went wrong with my project ?
    ... There is something wrong with my J2EE project sources (the production ... server is fine). ... Did you try rolling back via CVS to your code a month ago, and seeing if that still works? ...
    (comp.lang.java.programmer)