How do you audit your production code?
Last Updated: 2009-02-03 06:37:38 UTC
by Stephen Hall (Version: 1)
A number of our readers have highlighted the issues at Fannie Mae. One asked an interesting question regarding what defenses there are against this happening in your organisation. Swa, Adrien and I kicked this around for a few minutes and came up with a short list:
- separation of duties
- role based access control
- the four eyes principle where tasks are reviewed
But how do you achieve this in your organisation, are there any automated tools which can make the admin's role a lighter one? Drop us your suggestions by the contact form and I'll update as I receive them.
Hal Pomeranz dropped us a note pointing towards his article on the SANS Forenics blog, certainly worth a read!
Brian also dropped us a e-mail saying "One place I worked for used a version control system (CVS in that case) for just about everything -- DNS zone files, IOS router configs, you name it. At least that way, you get an audit trail, and the possibility of auto-emailing diffs when the changes get checked in."
This is a simple and workable arrangement for a small organisation, but how would it scale for a financial like Fannie Mae?