From: David M. Zendzian (dmz@dmzs.com)
Date: Tue Mar 06 2007 - 08:06:34 EST
I'd like to also add that with standards such as PCI, there is a
requirement for segregation of development and production. There is also
a requirement that system management teams also be segregated.
It does add a lot of hurdles to deploying code, but when done well it
helps ensure that what is expected in production is what is there, and
once you get through the hurdles you'll find that things will tend to be
much more stable in the long run.
David
Dunn, Kevin wrote:
> WALI -
>
> I would submit that by specifying "malicious intent" in your scenario
> you are closing off the vast majority of problems that can arise in
> environments where strict controls between development, testing, and
> production environments are not applied. You original question is very
> valid - however I would be interested in responses to a broader question
> also.
>
> In my opinion, the majority of problems occur when things are "fixed" in
> production. This is a natural impulse, as the overwhelming majority of
> people in the information technology field are "fix it" people. We do
> not like to see a problem go on for a minute more than necessary.
>
> However, when development teams are allowed access to production for
> debugging and remediation, the following items can occur in the "heat of
> battle" without any malicious intent.
>
> -- A fix is created and applied - but not applied to the source code
> system so the problem re-occurs with the next code update.
>
> -- Unknown exploit code on the developers machine has access to live
> production data - potentially HIPPA or trade secret data which can cost
> significant resources if exposed.
>
> -- Ad-hoc logging and tracing functions are created, causing problems
> later when log files grow in strange, out of the way places and cause a
> server to crash due to disk or resource exhaustion.
>
> -- The same ad-hoc logging and tracing functions create logs which
> contain sensitive data which are unknown and unmonitored and
> subsequently not handled in a secure manner.
>
> -- Debugging code is activated in production which causes un-explained
> system slowness.
>
> Unfortunately for the proof of concept aspect of your question - it is
> difficult to prove that these thing will occur. However, you can show
> through mathematical analysis of an organizations operational and
> software defect percentages the likelihood of these items occurring.
>
> Hope these thoughts help. Best wishes on your research, I hope you are
> able to share the results with the list.
>
> Kevin Dunn
> STATEMENT OF CONFIDENTIALITY: The information contained in this message or any attachments to this message are intended only for the person(s) or entity to which it is addressed and may contain confidential and/or privileged material as well as being protected from disclosure. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is strictly prohibited. If you received this in error, please contact the sender immediately and delete the material from any computer.
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
>
> http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
> ------------------------------------------------------------------------
>
>
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:38 EDT