Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Secure version control

I would like to have your opinion about the subject "version control", but focusing on security.

Some common features:

  • allowing to access to source code using clients only (no way to access the source code on the server directly)

  • granting permission to access only the source code which I am allowed to modify (i.e.: a developer should be able to access the source code related to his project only). So it should be possible to create user groups and granting different levels of access.

  • tracking modifications, check-ins, and check-outs and the developers who made them...

  • ...and, surely, I am forgetting something.

Which are the most "paranoid" version control systems that you know? Which features do they implement?

My aim is creating an enviroment for developing applications managing sensible data: credit cards, passwords, and so on... A malicious developer may insert backdoor or intentionally alter some security features. So the access to the source code should be controlled strictly. I must confess that my knowledge of version control systems is poor, so, I fear, customizing SVN could be a hard task for me.

Thanks

like image 226
Filippo Bonato Avatar asked Jan 11 '10 17:01

Filippo Bonato


3 Answers

Perforce is widely used in the Finance Industry where security of code is sometimes an issue.

You can setup gatekeepers and access controls to restrict visibility of code and produce audit trails for various activities for SOX compliance.

like image 148
Robert Christie Avatar answered Nov 15 '22 18:11

Robert Christie


I know that the ones you want are not the ones you want. For example, Clearcase or Serena Dimensions can do all the above... but you'd be bonkers to want to use them. (ah, I hear you say, I'm the admin so I don;t have to take that pain. Well, these also require lots of care and attention - we had 8 Clearcase admins at the last company I worked for. You don't want the nightmare of continually helping users with them).

So. You can have the horrible ones, or you could just use the friendly, easy-to-use SVN and implement your own checkout-tracking (using http transport and Apache logs), and slap access control permissions on every directory. You'd also have to secure the end-repository on disc, but you have to do this with every SCM, even something like Dimensions stores its database in Oracle - if you had access to Oracle instance, you could fiddle with the saved bits, so you have to secure that anyway.

like image 2
gbjbaanb Avatar answered Nov 15 '22 17:11

gbjbaanb


Perforce has those features and is a really good product imho.

like image 1
Klaus Byskov Pedersen Avatar answered Nov 15 '22 19:11

Klaus Byskov Pedersen