How do you audit your production code?

Published: 2009-02-02
Last Updated: 2009-02-03 06:37:38 UTC
by Stephen Hall (Version: 1)
0 comment(s)

A number of our readers have highlighted the issues at Fannie Mae. One asked an interesting question regarding what defenses there are against this happening in your organisation. Swa, Adrien and I kicked this around for a few minutes and came up with a short list:

  • separation of duties
  • role based access control
  • the four eyes principle where tasks are reviewed

But how do you achieve this in your organisation, are there any automated tools which can make the admin's role a lighter one? Drop us your suggestions by the contact form and I'll update as I receive them.

 Update 1:

Hal Pomeranz dropped us a note pointing towards his article on the SANS Forenics blog, certainly worth a read!

Brian also dropped us a e-mail saying "One place I worked for used a version control system (CVS in that case) for just about everything -- DNS zone files, IOS router configs, you name it.  At least that way, you get an audit trail, and the possibility of auto-emailing diffs when the changes get checked in."

This is a simple and workable arrangement for a small organisation, but how would it scale for a financial like Fannie Mae?

 

0 comment(s)

Comments


Diary Archives