Geek Answers Handbook

Secure Version Control

I would like your opinion on the topic of "version control", but with a focus on security.

Some common features:

  • allowing access to the source code only with the help of clients (without the possibility of direct access to the source code on the server)

  • granting permission to access only the source code, which I am allowed to modify (that is, the developer should be able to access the source code associated only with his project). Therefore, it should be possible to create user groups and provide different levels of access.

  • tracking changes, checks and statements and the developers who created them ...

  • ... and, of course, I forget something.

What are the most “paranoid” version control systems you know? What functions do they implement?

My goal is to create an environment for developing applications that manage smart data: credit cards, passwords, etc. ... A malicious developer may insert a backdoor or intentionally change some security features. Thus, access to the source code must be strictly controlled. I must admit that my knowledge of version control systems is poor, so I'm afraid setting up SVN can be a difficult task for me.

thanks

+7
version-control security
source share
5 answers

Perforce is widely used in the financial industry, where sometimes there is a problem with code security.

You can configure gatekeepers and access controls to limit code visibility and create audit trails for various actions to match SOX.

+2
source share

I know that those you want are not the ones you want. For example, Clearcase or Serena Dimensions can do all of the above ... but you would be bonkers to want to use them. (ah, I heard you say I'm an administrator, so I don’t want to take this pain. Well, they also require a lot of care and attention - we had 8 Clearcase administrators in the last company I worked for. "I don’t want a nightmare constantly helping users with them. "

So. You may have terrible ones, or you can simply use the friendly, easy-to-use SVN and implement your own tracking tracking (using the HTTP transport and Apache protocols) and access control permissions in each directory. You will also have to protect the final repository on disk, but you have to do this with every SCM, even something like Dimensions saves its database in Oracle - if you had access to an Oracle instance, you could play with the saved bits, so you you still need to ensure this.

+2
source share

Perforce has these features and is a really good imho product.

+1
source share

Use a well-known standard system such as subversion . It can very easily control access to individual projects, and using the authz web server configuration can control individual access to specific files in each project.

The only problem other than the standard one is registration checks. But the web server can easily register this information for you.

Your users will thank you.

+1
source share

github is a git wrapper that provides these functions to the git server. Compared to raw git servers, it especially includes access control and also has useful web interfaces for code for authorized users.

0
source share

More articles:


All Articles