The InfoSec Blog
1Apr/12

Managing Software

Last month, this question came up in a discussion forum I'm involved with:

Another challenge to which i want to get an answer to is, do developers
always need Admin rights to perform their testing? Is there not a way to
give them privilege access and yet have them get their work done. I am
afraid that if Admin rights are given, they would download software's at
the free will and introduce malicious code in the organization.

The short answer is "no".
The long answer leads to "no" in a roundabout manner.

Unless your developers are developing admin software they should not need admin rights to test it.

A lot of the problems with Windows software after the "split" that XP and later allowed to have non-privileged accounts was because people wrote non admin software that did require admin rights.

Developers should have their own machine, it should not be a production machine and should be easily re-imageable. There work should be archived, perhaps on another store, and regular use of a RCS so that branches and revisions can be managed.

If they really do need privileged access, then set up a test harness so that the test can be carried out with privilege without granting the developers normal privileged access.

And do not under any circumstances let them develop or test on a production machine.

As for your concern about downloading malicious code ... well, I had to laugh. If they are developers why would they need to download malicious code when they could write it?

If you mean they might download a open source library that had malicious code in it, then I suspect you've been reading the works of headline seeking journalists. All code has bugs. (All flesh is grass, all hardware will rust...) that applies just as much to commercial software (though probably with less accountability than open source). Finding and correcting bugs is what development is about; development is not just producing code, it is designing it, documenting it and testing it.

  • If your developers don't have a design to work to, then there are no meaningful metrics and this is just one step removed from kindergarten finger painting.
  • If your developers don't document their decision and the purpose of the code and its modules then your project is unstable and unmanageable.
  • If your developers don't test, don't have a test plan and keep records of the test, then they are no better than a million monkeys hammering away at random.

I've upset you by saying that?? Good, because unless we treat development professionally,
treat it as a engineering discipline and profession like any other, then the software we produce will be a joke and will be deadly.

 

Enhanced by Zemanta

Posted by Anton Aylward

Comments (0) Trackbacks (0)

No comments yet.


Leave a comment

No trackbacks yet.