Configuration management is usually confused with change management, while they are different. Configuration management captures actual changes to software code, end-user documentation, operations documentation, developer tools and settings, program build tools and settings, disaster recovery planning documentation, and other details of the change.
A centralized code repository helps in managing changes and tracking when and where revisions to the code have been done. This repository can also track versions of an application so that application can easily roll back to a previous version if a new version is not compatible.
Security of Code Repositories
Code repositories primarily act as a central storage point for developers to place their source code.
During and after development, program source code resides in a central source code repository. Source code must be protected from both unauthorized access and unauthorized changes. Controls to enforce this protection include
- System isolation: The system should be reachable by only authorized personnel, and no other persons. It also should not be reachable from the Internet, nor should it be able to access the Internet.
- No bulk access: Developers should not, under any circumstances, be able to check out all modules.
- No direct source code access: No one should be able to access source code directly.
- System hardening: Intruders must be kept out of the OS itself. We have discussed about details how this protection, in security architecture and engineering domain.
- Check-in approval: All check-ins should require approval of another person.
- Restricted administrator access: Only authorized personnel should have administrative access to the source code repository software, as well as the underlying operating system, and other components.
- Activity reviews: The activity logs for a source code repository should be periodically reviewed to make sure that there are no unauthorized check-outs or check-ins.
- Restricted access to critical code: Few developers should have access to the most critical code, including code used for security functions.
- Retention of all versions: The source code repository should maintain copies of all previous versions of source code.
- Restricted developer access: Only authorized developers and any other personnel should have access to source code.
- Limited, controlled checkout: Developers should only be able to check out modules when specifically authorized.
Go CISSP’s Home