Security Methodology Using Roles
-
quote:
the statement made that 'developers can't be trusted' is irresponsible - and is an example of what is wrong with a lot of the cost of doing business in the software industry lately...So, I started this thread, and true to most boards, it started an argument. I always regret asking a question to a group of strangers for this very reason. Why is it that everyone thinks they are smarter than everyone else?
Now, as for the issue, you have all made good points about YOUR environments, but none of you have solved my issue, because none of you can. You don't know enough about my technical, political, and geographical environment to provide all the necessary answers.
I am not sure that everyone who has given their opinions knows what it is like to work in a huge company, with multiple vendors dictating your service packs, and security procedures.
Also, my company uses a ton of offshore-support. Which is an oxymoron!! These are my developers that you are asking me to trust. This also means that not one developer would own a job in production, so I am either forced to grant generic access to these people, or give them all individual access, or wake up every time a job fails and one of them pages me.
In either case, thank you all for your answers.
Edited by - travlin on 06/26/2003 11:33:27 AM
-
nicely put.
It's not that developers cannot be trusted, it's that they must earn trust. And controls must be implemented, especially now iwth the Sarbannes-Oxley act. Stupid mistakes that impact the business are no longer accepted, and shouldn't have been for a long time. The point about developers being locked out when they cause issues it shortsighted and preventable. Lock them out and they get access as needed and as they prove they will not cause issues. They still will, but mistakes are acceptable, recklessness is not.
Developers are the reason most of us have jobs and the reason the industry is so advanced. However, that's the minority, there are a majority of developers that are poorly trained, or lack experience, or have poor judgement. They look at their issue, not at the overall business. They need control AND education.
Steve Jones
http://qa.sqlservercentral.com/columnists/sjones
Follow me on Twitter: http://www.twitter.com/way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com -
"a majority of developers that are poorly trained, or lack experience, or have poor judgement"
your true colors are shining through...need i say more?
-
Travlin, are there no options for "junior DBAs" within the environment? Perhaps some local developers and operations folks that can be trained to assist with the load?
I'll play devil's advocate here because I think the main problem is that you have DBAs and developers looking at an issue from two different sides. DBAs have a responsibility for keeping things ship-tight. Data security is part of their job duties in most companies. Developers, on the other hand are paid to get code out. They are paid to make things work. Sometimes those two sets of responsibilities conflict.
Don't believe me? Why then did Microsoft pause all of its development efforts to retrain its developers on best practices for security? Think the issue lies with Microsoft? Actually, no. There were more linux security issues last year than there were Microsoft. The numbers are out there.
No one thinks security first unless they've been made properly paranoid. How they get that paranoia isn't what's up for debate, whether it be by training or by experience. This applies not only to developers but to DBAs and sysadmins as well.
So let's go down this road. How many developers have security as part of their job requirements? Check the duties and responsibilities in your own organization. If yours do, you are the minority. Let's go a step further. How many developers, regardless of whether or not they have it in their job duties, have been properly trained on security? Another step: how many developers can go to management and say, "We're going to be delayed due to security concerns," and not get ripped a new one and told to deliver on schedule anyway? When you put these things together, I think you'll be left with the minority.
K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1
K. Brian Kelley
@kbriankelley -
Sorry, it's what I see. The majority of developers, by sheer numbers, have been developing less than 5 years. They lack experience by definition, they've been working for a company for less than 5 years.
Most developers I have met in the last 5 years are poorly trained. They went through some boot camp or quick learn program and don't really understand programming. This is a similar observation on many sites by those people with more than 10 years in this business.
They are ORs, not ANDs.
Steve Jones
http://qa.sqlservercentral.com/columnists/sjones
Follow me on Twitter: http://www.twitter.com/way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com -
Quit interesting the subjective part of the discussion.
Remind me of an article, think it was a Barbara Kitchen, why do a lot of projects fail : Visibility and Communications. Chuck in the word responsibility.
Let start with two individuals attractive, qualified, experienced, job focused, etc. and one the DBA and the other one the developer. They talk the same language and obviously understand what the other one is talking about and I think its reasonable they should be able to get along quit nicely, that’s work wise.
Start to skew this balance, either of the two less suitable for the DBA job or Developer or then both.
Skew or unbalance the equation a bit more and more.
Conclusion for me, more standards / rules / framework needs to be set up and maintained to enable everyone to behave politically correct. In the end it’s the employer / company who is the loser.
A colleague said at the last Dev Days with programming in the end it all comes down to your own character, that include DBAs and I can live with that.
If your mate on the other side of the line need a bit of training or rules to be set then just do it else where many people are involved set standards.
I find the them and us argument a bit of a yawn. Management should have smothered it very quickly but then we live in a real world.
Lastly SteveJones I have to agree with you Steve Jones.
-
Hi all,
while silently following this thread becoming more or less emotional, it is pretty funny to see the lack of 'result-oriented' approach.
Forgive me my maybe naive thought, but in one company I like to think that be it sales, be it marketing, be it development or IT administration or whatever are working TOGETHER, not AGAINST EACH OTHER on the same goal. While the IT staff certainly can spent the whole day blaming it on each other, does this improve anything? I guess not.
I like a good discussion and I'm certainly not afraid of any confrontation, but I don't think a flame war will help travlin with his original question!
If someone needs to cool down http://www.skop.com/brucelee/index.htm
Just my 2 cents
Cheers,
Frank
--
Frank Kalis
Microsoft SQL Server MVP
Webmaster: http://www.insidesql.org/blogs
My blog: http://www.insidesql.org/blogs/frankkalis/[/url]
Viewing 7 posts - 16 through 21 (of 21 total)
You must be logged in to reply to this topic. Login to reply