RE: Procedural Issues

We chose AccuRev over VSS for productivity reasons which greatly
outweighed the cost. Support has been great and implementation went very
smooth.


Dave Lewis
IT Manager
Security Connections, Inc.
www.security-connect.com



-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of WALI
Sent: Tuesday, June 12, 2007 1:47 PM
To: Shahin Ansari; Kenton Smith; security-basics@xxxxxxxxxxxxxxxxx
Subject: Re: Procedural Issues

Hi

Coming back to this issue which is about 4 months old, I am at the verge
of
finalizing finer details of our SDLC lifecycle.
I am stuck at one point and seek your help. I am about to deploy Visual
SourceSafe as my Version Control tool.

I need to define databases, folders and rights within VSS. What should
they
typically be. There has to be a Configuration manager within VSS. Who
shuld
this be?
Shahin, you wrote that there are static and dynamic versions of SoD!!
Please elaborate a bit for my benefit.

Kenton, I don't have many guys on board but have just managed to higher
a
QA function. Can QA shift the code after UAT to production environment?
What are the risks associated with doing so?


At 01:02 PM 1/9/2007 -0800, Shahin Ansari wrote:
Role Based Access Control model addresses issues like this. You may
want
to grant approval power to the Development team lead using a higher
previlage role, and not give him freedoms like deleting files, writing,
or
other previlage he/she normally enjoy. This is called separation of
duties, and there is static and dynamic versions of it. Hope it helps.
Regards-
Sean

Kenton Smith <listsks@xxxxxxxx> wrote:
Security is all about mitigating risk. You're right, there are
certainly
risks associated with someone from development accessing production
servers, however that is less risk than having all developers with
access
to production environments. Some risks that might come up would be
unauthorized changes to production, accidental deletion of files,
access
to confidential information.
In our company, it is our QA manager along with the VP Development that

have to sign off on the code before it moves from development to
production. We also have an integration group who are the people that
actually have acess to the production servers, so the QA manager
doesn't
actually deploy the changes to production. Our company obviously has a
bigger infrastructure and because of business reasons we do it this
way.
However you may find that the risks are so small relative to the
additional staff needed that it makes more sense to put the trust in
the
development team lead to work with the production servers.
It's not a simple yes/no decision, it really comes down to what works
best
in your environment while incurring the least amount of risk.

Kenton

----- Original Message ----
From: WALI
To: security-basics@xxxxxxxxxxxxxxxxx
Sent: Monday, January 8, 2007 10:50:28 AM
Subject: Procedural Issues

In a software development environment, what risks do we have if we
allowed
software development team leader, access to Live production servers?

Security demands that the two environments be segregated.

If I segregate the two environments, who would shift the code from
development to Live?



-----------------------------------------------------------------------
----
This list is sponsored by: ByteCrusher

Detect Malicious Web Content and Exploits in Real-Time.
Anti-Virus engines can't detect unknown or new threats.
LinkScanner can. Web surfing just became a whole lot safer.

http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildete
ct
-----------------------------------------------------------------------
----









__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

-----------------------------------------------------------------------
----
This list is sponsored by: ByteCrusher

Detect Malicious Web Content and Exploits in Real-Time.
Anti-Virus engines can't detect unknown or new threats.
LinkScanner can. Web surfing just became a whole lot safer.

http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildete
ct
-----------------------------------------------------------------------
----


__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

Relevant Pages

  • Re: Procedural Issues
    ... Only have your production team move the code - QA and Developers are poor choices for this, ... I prefer Subversion, but VSS has very poor performance, especially over VPN type connections. ... Do You Yahoo!? ... Mail has the best spam protection around ...
    (Security-Basics)
  • Re: OT: interesting global warming quote found elsewhwere
    ... I couldn't agree more about that whole MBA business. ... section) manager with an MBA whose previous job experience had been - I'm ... that production fell and the company just about tanked. ...
    (sci.electronics.design)
  • Re: OT: interesting global warming quote found elsewhwere
    ... I couldn't agree more about that whole MBA business. ... section) manager with an MBA whose previous job experience had been - I'm ... that production fell and the company just about tanked. ...
    (sci.electronics.design)
  • Re: OT: interesting global warming quote found elsewhwere
    ... I couldn't agree more about that whole MBA business. ... section) manager with an MBA whose previous job experience had been - I'm ... that production fell and the company just about tanked. ...
    (sci.electronics.design)
  • Re: Totally OT -- Marvies Day At Work (kind of long)
    ... Frank wants some changes to happen and I ... The Plant Manager (or Total Head Honcho -- NOT the Production Manager) ... 'Mike' is a nice guy. ...
    (alt.support.stop-smoking)