Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Secure version control

Tags:

version-control

security

I would like to have your opinion about the subject "version control", but focusing on security.

Some common features:

  • allowing to access to source code using clients only (no way to access the source code on the server directly)

  • granting permission to access only the source code which I am allowed to modify (i.e.: a developer should be able to access the source code related to his project only). So it should be possible to create user groups and granting different levels of access.

  • tracking modifications, check-ins, and check-outs and the developers who made them...

  • ...and, surely, I am forgetting something.

Which are the most "paranoid" version control systems that you know? Which features do they implement?

My aim is creating an enviroment for developing applications managing sensible data: credit cards, passwords, and so on... A malicious developer may insert backdoor or intentionally alter some security features. So the access to the source code should be controlled strictly. I must confess that my knowledge of version control systems is poor, so, I fear, customizing SVN could be a hard task for me.

Thanks

like image 226
Filippo Bonato Avatar asked Jan 11 '10 17:01

Filippo Bonato

3 Answers

Perforce is widely used in the Finance Industry where security of code is sometimes an issue.

You can setup gatekeepers and access controls to restrict visibility of code and produce audit trails for various activities for SOX compliance.

like image 148
Robert Christie Avatar answered Nov 15 '22 18:11

Robert Christie

I know that the ones you want are not the ones you want. For example, Clearcase or Serena Dimensions can do all the above... but you'd be bonkers to want to use them. (ah, I hear you say, I'm the admin so I don;t have to take that pain. Well, these also require lots of care and attention - we had 8 Clearcase admins at the last company I worked for. You don't want the nightmare of continually helping users with them).

So. You can have the horrible ones, or you could just use the friendly, easy-to-use SVN and implement your own checkout-tracking (using http transport and Apache logs), and slap access control permissions on every directory. You'd also have to secure the end-repository on disc, but you have to do this with every SCM, even something like Dimensions stores its database in Oracle - if you had access to Oracle instance, you could fiddle with the saved bits, so you have to secure that anyway.

like image 2
gbjbaanb Avatar answered Nov 15 '22 17:11

gbjbaanb

Perforce has those features and is a really good product imho.

like image 1
Klaus Byskov Pedersen Avatar answered Nov 15 '22 19:11

Klaus Byskov Pedersen
Sign in to Comment

Related questions

Security jQuery Mobile + Phonegap
Hash table vulnerability (property overwrite)?
Trouble instantiating a JavaKeyStore from file
Where to store password salt and how to get it
How can I get a list of Groups and User names for a given folder in C#
Bitstamp - new authentication in C# - signature
How do I write a manifest file for the new java security barriers
Which is more secure - iframe or CORS - for creating a widget intended for embedding on 3rd party sites?
String prediction through comparisons
How to prevent CRLF injection (Http response splitting) in php
Sharing REST tokens between servers
What's the difference between a reverse proxy and a gateway? [duplicate]
Nginx remove Secure Flag to Cookies from proxied server
How to identify Post Data is hacked using anti-forgery token
Mobile authentication using QR in web application
Django-OAuth-ToolKit : Generating access token's for multiple resources/services using client credentials grant type of OAuth2.0
What are the microarchitectural details behind MSBDS (Fallout)?
Anonymous users in Rails -- security considerations?
How can you prevent Man in the Browser attacks?
Are GUIDs generated on Windows 2003 safe to use as session IDs?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!