Home page logo
/

basics logo Security Basics mailing list archives

Re: Securing Development in a production environment
From: Goran Pizent <goran.pizent () mobilnet hr>
Date: Fri, 31 Aug 2007 10:09:00 +0200

Hello Anthony,

I am surprised that developers do what you just have described.
They probably lack proper security education both technical and
administrative. They are clearly unaware of the values that they posses
on their machines. It is very important to explain them (in terms of $)
how much your company would loose in case of unauthorized modifications
of source code.
Also there should be consequences if they don't obey, and if someone
don't obey he/she is not responsible person and you should have second
thoughts about him/her in your team.

About administrative rights on local machines. I am not quite familiar
what is your business/development process but I would not completely
lock them down. I would force them (through security policy) to work as
normal users and they certainly can work and produce code, and debug
application, and read mail, and surf the Internet and chat with friends
etc etc with normal user privileges. But sometimes (rare cases) they
really need admin privileges. Example is when they need to debug kernel
or when they need debug privilege (SeDebugPrivilege on Windows) to debug
process that is not executing under their credentials. 
And another thing - reading mail, browsing Internet, Instant messaging
WITH administrative rights IS potential risk for your company and your
assets that resides on workstations of all of your employees (including
developers of course).  That's why you should create security policy
that resolves that issue.

If you need to test installation(MSI etc.) I think that local VMWare
with no access to network is good enough for initial setup test. Of
course you have to have dedicated testers and setup masters that will
create and test final setup and your product in dedicated environment of
course. 

Hope that helps,
Goran


 

On Thu, 2007-08-30 at 10:49 -0500, Anthony Cogan wrote:
We have a number of issues over the past year where developers were  
running FTP servers, anonymous file shares (with confidential data  
and no ACL's) and other very insecure methods.

Their workstations are in the process of being replaced and are being  
provided a locked down (least privilege user) environment.  A small  
vocal group says they can not work this way and MUST have local  
administrative rights to their box.  They have been provided virtual  
machines running W2k03 Server joined to our production domain (yeah,  
I said that right).

I am more familiar with the UNIX world and no developer EVER had  
local administrative rights, even on developments boxes, so I am  
looking for feedback from the group on how you provide an environment  
for your developers while maintaining security.

I have had a couple of ideas, I look forward to some of yours...

Idea 1)
Developers have a 100% locked down environment other than their  
development tools, when they need to test their MSI or package  
installs, they take their "package" into a small development section  
that would be VLAN'd off the production network.  This way they could  
develop on their own box, wrap up their packages into their  
installation format, not require any admin privileges and just do a  
quick walk over to test their packaging installation methodologies.

Idea 2)
Have a development server that all the developers would do final  
builds and package tests on.  This may require two servers, one for  
building and one for package installation testing, but nothing that  
VM's couldn't handle.  They would use TS to access the box, which  
again would be VLAN'd off the production network with the exception  
of RDP.

Idea 3)
Is there a way that you can tell windows just a specific name of  
packages and/or packages to install with a normal user account?  ie:  
Allow users of a certain OU to install software with the name of  
"Developer Software 1" -> "Developer Software 10"?  This way, we  
would have limited access and they couldn't install FTP services,  
create file shares, but still install their test packages...

Idea 4+)
??????



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]