Re: Need security advice from Admins at Software Development companies

• Previous message: PA Bear: "Re: MS05-051 on W2K3"
• In reply to: Jordan: "Re: Need security advice from Admins at Software Development companies"
• Next in thread: Jordan: "Re: Need security advice from Admins at Software Development companies"
• Reply: Jordan: "Re: Need security advice from Admins at Software Development companies"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 18 Oct 2005 13:04:45 -0700

As always, you cannot enforce any kind of security on employees who believe
it to be a hindrance to their job.

There are, however, several ways around this.

Engage in a dialog with the software vendors, explain the situation
(numerous test machines for one developer, used serially rather than in
parallel), and see if you can come up with a licence that matches your use.
They may even have a licence option of which you're not yet aware (one that
might only be given out to people that ask) - or they may be able to tailor
one for you.

Or, engage in a dialog with the developers. Ask if they're willing to
change the way they work to accommodate the restrictive terms of the
licence. Or ask if they'll negotiate with the vendor for an appropriate
licence. Or ask if they'll buy a copy for themselves if you reimburse them,
with the intention that they become responsible for any licence violations.
[That last one is probably not legally enforceable, so I would consult a
lawyer before taking any advice that might touch on matters of law, since I
am not a lawyer myself.]

Currently, you are seen as an impediment to progress. Firing these
developers and hiring more may prove to be counter-productive, if you and
your policies are still seen as an impediment.

Alun.
~~~~

"Jordan" <nojunk_allowed@nospam.com> wrote in message
news:%23V9%23YaB1FHA.3636@TK2MSFTNGP10.phx.gbl...
>I guess it all boils down to trust and respect. I guess if I tally up all
>the issues I have to say I don't trust them to obey the rule because I know
>they do not respect the rules. Not just my rules, but the software
>distributer's EULAs. My biggest issue with trusting them with things is
>that the do not interpret things correctly. They always say that they see
>it differently when things are in B&W in front of their face. They don't
>understand that it is not what they think the EULA means, it is what it
>says and is not open for interpretation.
>
> For Example, we have a particular development package that says right in
> the T&Cs that you get to install it on ONE MACHINE. These guys keep
> saying that THEY THINK it is OK to install it on all their test stations
> in the lab because they will be the only ones using their copies. They
> actually that if we did what they wanted and the SBA came in the SBA would
> say "Oh you promise that you are the only one using this single copy on 5
> machines... Well that is OK even though the license says one machine". I
> had to argue with them for weeks on why they were not getting it and had
> to drag their manager and President into the conversation in order to shut
> them up.
>
> Your right about answering my own questions on this. The answers are
> obvious.
>
> "Alun Jones" <alun@texis.invalid> wrote in message
> news:fc-dnXMOvvU0ocjeRVn-ig@comcast.com...
>> "Jordan" <nojunk_allowed@nospam.com> wrote in message
>> news:uaco4i$0FHA.2616@tk2msftngp13.phx.gbl...
>>> We are a manufacturing company that is now starting to develop software
>>> for our products. We now have two engineers that use Visual Studio,
>>> Labview, and a few other programming tools. What I would like to know
>>> is, does every other company that has people developing software allow
>>> the following:
>>
>> These are kind of loaded questions. Could be that your local situations
>> trump any answers that you get. I once worked at a place, for instance,
>> where the majority owner was one of the developers. It's really
>> difficult to force that developer to stick to a rule, and then it becomes
>> difficult to enforce the rule to other developers.
>>
>> Developers are 'special' (aren't we all?) in a few ways. They frequently
>> have to install and run the software they create, and when they make a
>> boo-boo, it can mean that their system is toast and needs to be
>> reinstalled. In sensitive software (say a GINA replacement), that could
>> cause them to have to reinstall the whole system with no ability to get
>> in to recover the old one. [Virtual PC is practically a must for people
>> like this] Developers are expensive, and delays of hours to install
>> software for them is like pouring money down the drain.
>>
>>> 1. The developer to control the company's copies of Visual Studio and
>>> other packages so they (the Developer) can install where ever they see
>>> fit.
>>
>> Very loaded question - it's obvious what you want the answer to be.
>> Clearly, you have to act to protect your company's liability against
>> piracy suits. It's important to follow whatever licencing restrictions
>> are in place for the software your developers use. If they say "N named
>> users", name the users, and make sure that those users are responsible
>> for the number of licences they are expected to use.
>>
>> Are your developers really so flip that they'll install your company's
>> copies of VS all over the place? Maybe you need to give them a licence
>> for use at home, or on their laptop - many of my best development ideas
>> come to me in the bath, rather than at work, so it's good to have a copy
>> of VS available in my home to test them out (once I've dried off a
>> little).
>>
>>> 2. The developer be allowed to download and install any software they
>>> want off the Internet unrestricted.
>>
>> As long as they are within licence restrictions, perhaps... But that can
>> lead to viruses, of course. Intentionally or not, _all_ your users are
>> downloading and installing software from the Internet, and you simply
>> have to answer what you're doing, and what you're expected to do, about
>> it. "IT installs all apps" is fine for office staff, but when you move up
>> to developers, you're looking at putting obstacles in the way of them
>> doing their job.
>>
>> Perhaps restrict such downloads to 'test machines' only, and don't allow
>> those test machines full access to the corporate intranet.
>>
>>> 3. When a developer writes a program for use internally do they
>>> (Developer) get to be Admins of any computer that uses their in-house
>>> package or do they have to use the test lab.
>>
>> Bad.
>>
>> Unless they're writing system administration tools, you have to ask why
>> this is happening - either because the users of those computers are
>> already running as administrator, in which case you've already got a
>> problem, or because the new tool has been written to run as admin-only.
>> That could mean that your developers need a slap upside the head with a
>> copy of "Writing Secure Code" by LeBlanc and Howard.
>>
>> The fact is, if your developers can persuade other users to run the
>> developer's code, that allows the developer to become that user (even if
>> the user is an admin). This is a _fact_, and cannot be worked around.
>> You need to trust your developers, and get rid of those developers that
>> you cannot trust.
>>
>>> 4. Do they get to distribute their in-house developed packages on the
>>> fly without providing any proof that it has been tested.
>>
>> Why, what are they writing? If it's a simple tool, it may not need much
>> in the way of testing that the users themselves aren't already performing
>> when they run it. If you're concerned about developers hiding
>> functionality in the code, then see the answer to question 3 - you need
>> to get to the point where you can trust your developers. Let them
>> release an untested app internally, and see them drown under the weight
>> of support questions, or require that all internal tools go through
>> testing, and set up the necessary infrastructure to do the testing.
>>
>> You can not rely on a developer's word that something has been tested.
>> Developers simply aren't that good at testing their own code.
>>
>>> 5. Are the developers allowed to send out copies of software developed
>>> under the company's name without restriction.
>>
>> That's a really dangerous position to be in. Anything your developers
>> put out from your company becomes official company canon.
>>
>> No, anything that's released should have gone through significant
>> internal review by other developers and testers to ensure that it's up to
>> your company's standards.
>>
>>> The reason I ask is because we have a policy that states that Only IT
>>> can install software and for some "strange reason" we require proof of
>>> the license. We restrict downloads of zips, exe, msi, and installable
>>> programs by blocking the files and mime types in the email and proxy.
>>> Also we have IT and not the developers install even the in-house
>>> packages.
>>>
>>> The developers have full admin rights on their own PCs and they also
>>> have several other pcs each with full admin rights at their disposal to
>>> test anything they develop. When they request software or downloads,
>>> they get the download most of the time within hours. If the download is
>>> a demo their manager just has to sign a simple form that they don't even
>>> fill out and they have the software usually the next day.
>>
>> "First installs" of new tools may be allowed to take hours - subsequent
>> reinstalls to recover a crashed machine, etc, must be much quicker,
>> unless you pay your developers peanuts.
>>
>>> If I am being overly protective, what do other companies do to protect
>>> themselves from damage by developers who have a habit of installing
>>> unlicensed software, downloading for non-business purposes, and who have
>>> almost gotten viruses and Spyware from their Internet habits?
>>
>> If your developers damage you, take appropriate action. Cut them off
>> from the Internet if that's what it takes; take disciplinary action, if
>> necessary. Allow for the occasional "whoops" - we're all human, after
>> all - but also make sure that people learn from their (and others')
>> mistakes.
>>
>> Alun.
>> ~~~~
>>
>
>

• Previous message: PA Bear: "Re: MS05-051 on W2K3"
• In reply to: Jordan: "Re: Need security advice from Admins at Software Development companies"
• Next in thread: Jordan: "Re: Need security advice from Admins at Software Development companies"
• Reply: Jordan: "Re: Need security advice from Admins at Software Development companies"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]