Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: How do you audit your production code? InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

How do you audit your production code?

Published: 2009-02-02
Last Updated: 2009-02-03 06:37:38 UTC
by Stephen Hall (Version: 1)
0 comment(s)

A number of our readers have highlighted the issues at Fannie Mae. One asked an interesting question regarding what defenses there are against this happening in your organisation. Swa, Adrien and I kicked this around for a few minutes and came up with a short list:

  • separation of duties
  • role based access control
  • the four eyes principle where tasks are reviewed

But how do you achieve this in your organisation, are there any automated tools which can make the admin's role a lighter one? Drop us your suggestions by the contact form and I'll update as I receive them.

 Update 1:

Hal Pomeranz dropped us a note pointing towards his article on the SANS Forenics blog, certainly worth a read!

Brian also dropped us a e-mail saying "One place I worked for used a version control system (CVS in that case) for just about everything -- DNS zone files, IOS router configs, you name it.  At least that way, you get an audit trail, and the possibility of auto-emailing diffs when the changes get checked in."

This is a simple and workable arrangement for a small organisation, but how would it scale for a financial like Fannie Mae?


0 comment(s)
Diary Archives