[prev in list] [next in list] [prev in thread] [next in thread]
List: secprog
Subject: Re: Source code monitoring for a large development group
From: "Stephane Nasdrovisky" <stephane.nasdrovisky () uniway ! be>
Date: 2002-11-27 17:01:13
[Download RAW message or body]
I worked as a contractor for a large cross-ocean development company. They were using \
case tools (teamwork) as well as a strong version control/build management tool \
(clearcase). In order to make the developement process as clean as possible, it was \
seprated in 4 independant teams: Analysts, q&a, C developers and config management.
Analysts are responsible for the analysis as well as code review.
q&a is responsible for pre release tests.
C developers are developping.
Config management team are maintaining the version control system as well as the \
build system. They are also responsible in reviewing the changes made to the sources \
and makefiles.
Craig Minton wrote:
> How does on monitor source code in an organization with hundreds of developers? We \
> are trying to focus on writing more secure code, but with hundreds of developers \
> and sometimes contractors, how do you really know that backdoors or easter eggs \
> were not hidden? Code reviews are good, but it still does not give one good \
> assurance that other code is not being slipped in. Also, forcing all developers to \
> use the same version control and requiring that the code be built from that version \
> control should help insure that only the code in version control goes to \
> production. It is at this point where searching the code become necessary, but it \
> is also very laborious. Any ideas would be greatly appreciated.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic