How do you audit your production code?
A number of our readers have highlighted the issues at Fannie Mae. One asked an interesting question regarding what defenses there are against this happening in your organisation. Swa, Adrien and I kicked this around for a few minutes and came up with a short list:
- separation of duties
- role based access control
- the four eyes principle where tasks are reviewed
But how do you achieve this in your organisation, are there any automated tools which can make the admin's role a lighter one? Drop us your suggestions by the contact form and I'll update as I receive them.
Update 1:
Hal Pomeranz dropped us a note pointing towards his article on the SANS Forenics blog, certainly worth a read!
Brian also dropped us a e-mail saying "One place I worked for used a version control system (CVS in that case) for just about everything -- DNS zone files, IOS router configs, you name it. At least that way, you get an audit trail, and the possibility of auto-emailing diffs when the changes get checked in."
This is a simple and workable arrangement for a small organisation, but how would it scale for a financial like Fannie Mae?
Backtrack 4 headsup
Something interesting this way comes! Although its about seven months since the last BackTrack general release was made diary reader Sander highlights some intersting additions to the latest version of this hacking stalwart.
The changes include PXE booting, and WPA table generation and can be read about on the BackTrack 4 blog.
Let's hope the guys at remote-exploit.org do not keep us waiting for much longer.
Comments