Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: How do you audit your production code? - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
How do you audit your production code?

A number of our readers have highlighted the issues at Fannie Mae. One asked an interesting question regarding what defenses there are against this happening in your organisation. Swa, Adrien and I kicked this around for a few minutes and came up with a short list:

  • separation of duties
  • role based access control
  • the four eyes principle where tasks are reviewed

But how do you achieve this in your organisation, are there any automated tools which can make the admin's role a lighter one? Drop us your suggestions by the contact form and I'll update as I receive them.

 Update 1:

Hal Pomeranz dropped us a note pointing towards his article on the SANS Forenics blog, certainly worth a read!

Brian also dropped us a e-mail saying "One place I worked for used a version control system (CVS in that case) for just about everything -- DNS zone files, IOS router configs, you name it.  At least that way, you get an audit trail, and the possibility of auto-emailing diffs when the changes get checked in."

This is a simple and workable arrangement for a small organisation, but how would it scale for a financial like Fannie Mae?

 

Stephen

89 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!