Pete Finnigan's Oracle Security Forum
        (http://www.petefinnigan.com/forum/yabb/YaBB.cgi)
      

        Oracle Security >> Oracle Security >> Developers managing development
        
(Message started by: Pete Finnigan on Aug 5th, 2006, 6:16pm)
Title: Developers managing development
Post by Pete Finnigan on Aug 5th, 2006, 6:16pm
I just walked into a contract where I was greeted with "There is a movement afoot to to turn the entire Oracle development environment over to developers".  Minimal, to no DBA talent there.  

Anyway, my concern (and I have many) revolve around security and standards of the other environments that later integrate with development -- QA and Prod.  

My question:

What security issues exist for QA and Prod when developers get keys to the kingdom on the server where code is tested and later deployed from.   QA & Prod are on different servers, but they can all access eachother over the network.   They will have the oracle account -- both Windows and unix servers.  

Any ideas or experience with this would be appreciated.   Maybe it will all just work out fine ....

Thanks,

Malcolm.

Title: Re: Developers managing development
Post by Pete Finnigan on Aug 7th, 2006, 2:18am
Firstly, does the 'oracle' user on the Dev server have access to/control over the other DB environments (thinking .rhosts here). If so, they may effectively get SYSDBA for all environments.
Similarly think about what might be possible/accessible with CREATE DIRECTORY and Java Stored Procedures from the dev box.

Another concern might be Privilege creep. Eg they give their schema user 'strong' privileges (eg SELECT ANY) in development, use them as part of the application and then DEMAND them in the other environments or 'the application we have spent six months coding will need a rewrite'.

I would wonder why the developers want this ? It may be they just need/want a few more privileges in the dev environment (eg for tracing, getting trc files and using tkprof, killing sessions, viewing the V$ tables...) and a 'turf war' has escalated.
Title: Re: Developers managing development
Post by Pete Finnigan on Aug 11th, 2006, 6:14am
The entire idea spawned from a place that is grossly understaffed in DBAs and that leaves developers fuming when requests can't be turned over quickly.  Otherwise, there should be no good reason to hand over the keys to the kingdom.    The bizarre thing is, many of the people that will get what they want don't know how to use it. The development manager approached me the other day and said "It would be a good way for his developers to learn more about Oracle".  I think I'll go speak to the HP Admins and ask for root with my rational being; I think it will enhance my system administration skills.  lol.  
Title: Re: Developers managing development
Post by Pete Finnigan on Aug 14th, 2006, 2:18am
Perhaps the solution is to give one or two of the more experienced developers access to a more privileged account, maybe 'borrowing' them into the DBA group for a couple of weeks to get some basics.


Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright © 2000-2004 Yet another Bulletin Board