We have a set of Linux servers that our developers use to compile software for our products we sell. We are currently in a stand off between our network security people saying the servers need to be patched, and the developers stating that patching would change the end binaries produced by the build server.
I cannot find any information online about patching build servers, and would like to know if anyone else here is in the same situation and how you have solved it?
Asked
Active
Viewed 132 times
0
Denham
- 28
- 4
-
Ha. Usually it's the developers wanting updates and the network security people denying Internet access... – Michael Hampton Jul 30 '15 at 19:57
-
I'm with Michael on this one normally developers would want to test on latest patches/updates to ensure it works for a customer who is likely to have more updates – Drifter104 Jul 30 '15 at 20:54
-
While the tables are being turned, why not have the security people enumerate every binary being changed by every patch they wish to apply (and codewise what the change does) so the developers can properly calculate the risk? – ErikE Jul 31 '15 at 08:39
1 Answers
0
This is a tough one, and there isn't really a good answer.
From a high level standpoint, the correct answer is "Isolate this system from external sources, and make a note in your security plan that this server is not accessible from anything but a specific, heavily fire walled subnet." That likely makes the developers lives more difficult, but should satisfy security and them at the end of the day.
From a "trying to win in both directions," standpoint you could, depending on your security teams methods/desires and how the development software is setup, create a "build directory tree" of sorts where you have a static build of libraries used for the developers, that are built separate from the ones the OS uses.
IE instead of having the developers use /usr/lib/* as their source for libraries for their builds, make a /build/lib" directory and recompile a static source for all those items....
At the end of the day though, the real answer is. If the developers need a static unpatched system for their software to build, then someone high up needs to sign something that say's "yeah, we'll just have to risk it"
Gravy
- 780
- 1
- 5
- 17