Mailinglist Archive: opensuse-security (636 mails)

< Previous Next >
Re: [suse-security] [newbie:] Secure development environment
  • From: Steffen Dettmer <steffen@xxxxxxx>
  • Date: Wed, 14 Feb 2001 12:12:30 +0100
  • Message-id: <20010214121230.J4807@xxxxxxxxx>
* Andreas Otto wrote on Tue, Feb 13, 2001 at 09:34 +0000:
> Guess I didn't express what we want to do. And for sure we have
> different understandings of the term "secure development environment".

I see. You don't want to develop security-certified software but
have a secure workplace.

> Here is what we want to do with the box:
>
> Since we will start a "case study" about tele-working the CVS
> repository should be reachable from the "outside world" as well from
> within our network. Therefore I thought using SSH for connecting to
> the box might be a good idea.

Yep, SSH or VPN.

> Later we will have IBM Websphere and a DB2 Database running on the
> machine.

Probably the DB get's connected by localhost only? That's good
for firewalling, just block it :)

> So all in all it is more a Webserver but I will still try to make it
> as secure as possible. Which is as I understand a big compromise in
> terms of convenience.

I would never recommend to use such a machine as CVS Server,
if your sources are important. You have to thing with the
possibility of a root compromize of this box if you offer a lot
of public services. Webserver or CGI or whatever may have bugs,
and SSH and all the code.

I would suggest to use two hosts: on secured for development and
one public accessible for demonstrations (or whatever). The
developer could use a webserver only accessible by localhost (but
it's slow to use a browser via SSH X11 Forwarding :)). Maybe you
could r/o export a directory via NFS to the Webserver or similar.
Of course you should block as much as possible by the firewall in
front of the servers.

oki,

Steffen

--
Dieses Schreiben wurde maschinell erstellt,
es trägt daher weder Unterschrift noch Siegel.

< Previous Next >
This Thread