Source Code Security

  • Comments posted to this topic are about the item Source Code Security

  • Steve Jones - SSC Editor (3/30/2015).... . Developers shouldn't have access to account information or keys that are used in production. There should be separate credentials used in development, precisely for this reason. If someone gets your code, or hacks a dev machine, they shouldn't be able to jump to production. .....

    Oh the joys of DevOps and/or small companies or company politics. Few if any of the companies that I have worked for had made the time to lock out the developers. Even the security managers have had issues when the board of directors perceive their pet project costing more and taking longer.

    As hackers become more and more targeted then of course this will become a bigger issue.

  • I have always advocated separation between development and production. In every scenario including one man bands. Even if one doesn't do full separation policy in one go then you can incrementally rollout improvements e.g. if a copy of the production database is used for investigating live issues then it causes minimal disruptions to process and access when that copy starts to be obsfucated. This is rendered easier by differentiating between development and administration accounts from day one.

    Gaz

    -- Stop your grinnin' and drop your linen...they're everywhere!!!

  • Personally, I have never been a fan of online VCS. The human aspect of public vs private aside, it has always just seemed less secure to me.

    But it's the wave of the future, security be darned.

  • Xavon (3/31/2015)


    Personally, I have never been a fan of online VCS. The human aspect of public vs private aside, it has always just seemed less secure to me.

    But it's the wave of the future, security be darned.

    I totally agree. No on the online VCS.

  • Oh the joys of DevOps and/or small companies or company politics. Few if any of the companies that I have worked for had made the time to lock out the developers.

    That's my experience, small company, devs can do everything. Quite frankly that's the most efficient, as long as you don't get hacked or mess up. But as IT grows, so do the problems.

  • Yet Another DBA (3/31/2015)


    Steve Jones - SSC Editor (3/30/2015).... . Developers shouldn't have access to account information or keys that are used in production. There should be separate credentials used in development, precisely for this reason. If someone gets your code, or hacks a dev machine, they shouldn't be able to jump to production. .....

    Oh the joys of DevOps and/or small companies or company politics. Few if any of the companies that I have worked for had made the time to lock out the developers. Even the security managers have had issues when the board of directors perceive their pet project costing more and taking longer.

    As hackers become more and more targeted then of course this will become a bigger issue.

    DevOps doesn't mean developers access production. It means Developers and Operations work together, helping each other. Developers can provide the code and ensure Ops can run it. Ops can set the actual parameters/keys/passwords and save them separately.

    Politics are certainly an issue here. I've fought this battle with mixed results in the past.

  • Xavon (3/31/2015)


    Personally, I have never been a fan of online VCS. The human aspect of public vs private aside, it has always just seemed less secure to me.

    But it's the wave of the future, security be darned.

    Probably, not sure that's always the case, but certainly for anything that might be an issue if released, I'd be wary of an online VCS.

    However I'd argue that the vast majority of all code I've ever seen written isn't an issue from a disclosure of intellect area. Most of our code really isn't doing something that makes our business succeed or fail. It's the execution of business itself, not the software that matters.

    I do think, however that potential holes in security, based on poor coding or coding mistakes, is an issue.

  • Yet Another DBA (3/31/2015)


    Oh the joys of DevOps and/or small companies or company politics.

    Reminds me of how often 'sa' was used as the default login for developers. (and sometimes still is.)

    And with a blank password, naturally!

    The more you are prepared, the less you need it.

  • Steve Jones - SSC Editor (3/31/2015)


    .......

    DevOps doesn't mean developers access production. It means Developers and Operations work together, helping each other. Developers can provide the code and ensure Ops can run it. Ops can set the actual parameters/keys/passwords and save them separately.

    Politics are certainly an issue here. I've fought this battle with mixed results in the past.

    Hmmm, I think "DevOps" is one of those terms that has different meanings for people. To me its where Developers have access to the live environment to release code, all with managements permission.

  • Yet Another DBA (4/1/2015)


    Steve Jones - SSC Editor (3/31/2015)


    .......

    DevOps doesn't mean developers access production. It means Developers and Operations work together, helping each other. Developers can provide the code and ensure Ops can run it. Ops can set the actual parameters/keys/passwords and save them separately.

    Politics are certainly an issue here. I've fought this battle with mixed results in the past.

    Hmmm, I think "DevOps" is one of those terms that has different meanings for people. To me its where Developers have access to the live environment to release code, all with managements permission.

    I agree that different people are interpreting this term differently. My understanding is far closer to Steve's.

    DevOps is the collaboration and support between the development and operation teams/roles in order to better transition software from development to production, however, it does not prescribe anyone having access to live.

    Gaz

    -- Stop your grinnin' and drop your linen...they're everywhere!!!

  • One thing is for sure whatever your interpretation of DevOps, a lot of consultants will be getting very rich from it!

  • Yet Another DBA (4/1/2015)


    Hmmm, I think "DevOps" is one of those terms that has different meanings for people. To me its where Developers have access to the live environment to release code, all with managements permission.

    I'm not sure that's Devops as I've seen most of the people pioneering the work in this area describe it. That's somewhat chaos.

    It's not that developers can't act as operations people, but they should be using the tools, processes, and techniques proven to ensure stability and reliability for operations people, along with the programming and automation that developers often build.

Viewing 13 posts - 1 through 12 (of 12 total)

You must be logged in to reply to this topic. Login to reply