Re: Need security advice from Admins at Software Development companies
From: Mercury (me_at_spam.com)
Date: 10/19/05
- Next message: Imhotep: "Windows chokes on latest Microsoft patch"
- Previous message: Felix: "Security Event Log problem"
- In reply to: Jordan: "Need security advice from Admins at Software Development companies"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 19 Oct 2005 17:01:17 +1300
answers inline .... please excuse typing...
"Jordan" <nojunk_allowed@nospam.com> wrote in message
news:uaco4i$0FHA.2616@tk2msftngp13.phx.gbl...
> We are a manufacturing company that is now starting to develop software
> for our products. We now have two engineers that use Visual Studio,
> Labview, and a few other programming tools. What I would like to know is,
> does every other company that has people developing software allow the
> following:
This does imply some potentially special aspects of s/w development. I
suggest after more research you discuss the points I raise with them with
the objectives of producing policies that enforce company requirements but
are implemented to facilitate producing quality products, maintaining
security, safe guarding IP, and getting on with the job in a least
beureaucratic (?) manner as possible while maintaining the above objectives.
It does appear that the s/w dev team should be working with you to allay
some rightfully held fears as the tone of your questions overall indicates
to me a dev team that may be lacking in control. As clever as they may be,
they actually have to put brain into gear for that cleaverness to be
worthwhile... IE you may have fears / they may / should be fully aware of
all of this, so again, discuss this with them.
> 1. The developer to control the company's copies of Visual Studio and
> other packages so they (the Developer) can install where ever they see
> fit.
Generally No. Install the full package for them - complete then safe keep
the media & license keys. The company pays for and owns the licenses and is
responsible legally. Either that or delegte the responibility to one IT
person that is known to hold that responsibility as it should be. The
objective here is not to get in a legal mess, to get the s/w to those that
need it, to protect the investment by not losing the media / keys etc. Work
it out with them.
Every package to be acquired needs justification - purpose, budget, on going
maintenance. S/W must not be acquired willy nilly with no budgetary control.
IT should be able to draft several lists: essential major tools EG Visual
Studio and products in those price brackets, dev utilities, user utilities
(EG winzip / winrar, adobe acrobat, etc...) . If they go the willy nilly
path then that indicates a lack of forthought and planning ==> poor project
control.
You will end up with poorly conceived products if developers go on Add-in /
Widget / code Library spending sprees as there are license issues,
stability, installer / run time issues ( correct installation /
deinstallation) and so on. Minimalism is a virtue in S/W dev toolkits. This
does need balancing with ROI that many toolkits / libraries can achieve
rapidly.
> 2. The developer be allowed to download and install any software they want
> off the Internet unrestricted.
No. For obvious reasons: virus, malwr etc. The company is more important
than any single developer.
I suggest that 1 isolated machine be setup that allows them to evaluate
trials for fitness prior to any further steps / installation on any dev
machine.
> 3. When a developer writes a program for use internally do they
> (Developer) get to be Admins of any computer that uses their in-house
> package or do they have to use the test lab.
No. They must be ale to write installer packages that deploy correctly (IE
MSI's). Outside of a test lab that should be via a planned deployment method
inline with any other package that be installed.
Think quality and complete builds / integrated with testing etc. If they
produce new package version for acceptance testing everyday then that is
good.
> 4. Do they get to distribute their in-house developed packages on the fly
> without providing any proof that it has been tested.
No. That would create havoc. Who has what version of what? How is support
provided? Testing is very very important. It is the make or break of quality
products and is not a simple task. This process needs to be integrated with
the architect / dev / test / deploy / maintain cycle - there are several
major models to follow that are widely used. Willy nilly tesing / deployment
is too prone to compounding errors to describe.
> 5. Are the developers allowed to send out copies of software developed
> under the company's name without restriction.
Gnerally the company owns the source code, products etc.
The ability of dev's to send in-house code out should be controlled as what
happens if you send out a custom package to a competitor? What happens if
the package is actually good and someone decides to bootleg it?
> The reason I ask is because we have a policy that states that Only IT can
> install software and for some "strange reason" we require proof of the
> license. We restrict downloads of zips, exe, msi, and installable
> programs by blocking the files and mime types in the email and proxy.
> Also we have IT and not the developers install even the in-house packages.
>
> The developers have full admin rights on their own PCs and they also have
> several other pcs each with full admin rights at their disposal to test
> anything they develop. When they request software or downloads, they get
> the download most of the time within hours. If the download is a demo
> their manager just has to sign a simple form that they don't even fill out
> and they have the software usually the next day.
Dev's should develop using least permissions like everyone else. For some of
the projects this may be difficult (EG device drivers) as all rights may be
needed to test all aspects and so on - in which case network isolation /
test suites should be considered.
I take it they are on the same network as everyone else? This is a formula
for virus / malware deployment / spyware.
> If I am being overly protective, what do other companies do to protect
> themselves from damage by developers who have a habit of installing
> unlicensed software, downloading for non-business purposes, and who have
> almost gotten viruses and Spyware from their Internet habits?
Your devs should take pride in corporate responsibility in that the have
responsible positions and need to show / exercise those responsibilities -
to use least privilege, minimal toolkit, respect for budgets / expenditure,
SECURITY etc. They should also take pride in the products they produce by
writing them responsibly - to not require privilege where it is not
required, and where it is requied to architect systems for least privielege
requirements IE the user app does not require admin rights unless it is a
windows adminitration utility.
In the mix somewhere you may need to have test lab machines that *must* be
disconnected from the network. Each app to be acquired must be assessed for
fitness for purpose / stability / issues before acquisition. testing must be
formalised as should distribution / installation / user acceptnace testing /
suopport / bug reporting etc.
IME, it is normal to inflict security controls, just as it is normal to have
locks on doors. However we all know of problems with locks - they must be in
the correct places or they can be excessive and inhibit progress. Terms and
conditions of employment for s/w devs should reflect their special priv's
and responsibility and emphasise ownership of IP, source code,
confidentiality, products, secuity, email use, web use, USB disc drive use
and so on...
2 cents worth to get stated on.
- Next message: Imhotep: "Windows chokes on latest Microsoft patch"
- Previous message: Felix: "Security Event Log problem"
- In reply to: Jordan: "Need security advice from Admins at Software Development companies"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
