How do you audit your production code?
A number of our readers have highlighted the issues at Fannie Mae. One asked an interesting question regarding what defenses there are against this happening in your organisation. Swa, Adrien and I kicked this around for a few minutes and came up with a short list:
- separation of duties
- role based access control
- the four eyes principle where tasks are reviewed
But how do you achieve this in your organisation, are there any automated tools which can make the admin's role a lighter one? Drop us your suggestions by the contact form and I'll update as I receive them.
Update 1:
Hal Pomeranz dropped us a note pointing towards his article on the SANS Forenics blog, certainly worth a read!
Brian also dropped us a e-mail saying "One place I worked for used a version control system (CVS in that case) for just about everything -- DNS zone files, IOS router configs, you name it. At least that way, you get an audit trail, and the possibility of auto-emailing diffs when the changes get checked in."
This is a simple and workable arrangement for a small organisation, but how would it scale for a financial like Fannie Mae?
Backtrack 4 headsup
Something interesting this way comes! Although its about seven months since the last BackTrack general release was made diary reader Sander highlights some intersting additions to the latest version of this hacking stalwart.
The changes include PXE booting, and WPA table generation and can be read about on the BackTrack 4 blog.
Let's hope the guys at remote-exploit.org do not keep us waiting for much longer.
Comments
Anonymous
Dec 3rd 2022
9 months ago
Anonymous
Dec 3rd 2022
9 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
Anonymous
Dec 26th 2022
8 months ago
Anonymous
Dec 26th 2022
8 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
8 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
8 months ago
Anonymous
Dec 26th 2022
8 months ago
https://defineprogramming.com/
Dec 26th 2022
8 months ago
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
https://defineprogramming.com/
Dec 26th 2022
8 months ago
rthrth
Jan 2nd 2023
8 months ago