[prev in list] [next in list] [prev in thread] [next in thread] 

List:       secprog
Subject:    Re: Source code monitoring for a large development group
From:       "Stephane Nasdrovisky" <stephane.nasdrovisky () uniway ! be>
Date:       2002-11-27 17:01:13
[Download RAW message or body]


I worked as a contractor for a large cross-ocean development company. They were using \
case tools (teamwork) as well as a strong version control/build management tool \
(clearcase). In order to make the developement process as clean as possible, it was \
seprated in 4 independant teams: Analysts, q&a, C developers and config management.

Analysts are responsible for the analysis as well as code review.
q&a is responsible for pre release tests.
C developers are developping.
Config management team are maintaining the version control system as well as the \
build system. They are also responsible in reviewing the changes made to the sources \
and makefiles.


Craig Minton wrote:

> How does on monitor source code in an organization with hundreds of developers?  We \
> are trying to focus on writing more secure code, but with hundreds of developers \
> and sometimes contractors, how do you really know that backdoors or easter eggs \
> were not hidden?  Code reviews are good, but it still does not give one good \
> assurance that other code is not being slipped in.  Also, forcing all developers to \
> use the same version control and requiring that the code be built from that version \
> control should help insure that only the code in version control goes to \
> production.  It is at this point where searching the code become necessary, but it \
> is also very laborious.  Any ideas would be greatly appreciated.


[prev in list] [next in list] [prev in thread] [next in thread]