You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@subversion.apache.org by Jo...@hartfordlife.com on 2005/09/07 16:36:14 UTC

Is subversion SOX (sarbanes-oxley) compliant?

<br><font size=2 face="sans-serif">All,</font>
<br>
<br><font size=2 face="sans-serif">I am trying to put together a case to use subversion instead of PVCS at my company &nbsp;(If you could point me to any resources on this, I would appreciate it!) &nbsp;I have been receiving a lot of push back about subversion having security vulnerabilities. &nbsp;See the following:</font>
<br>
<br><font size=2 face="sans-serif">http://secunia.com/ (http://secunia.com/search/?search=SVN)</font>
<br><font size=2 face="sans-serif">or</font>
<br><font size=2 face="sans-serif">http://www.cve.mitre.org/ (http://www.cve.mitre.org/cgi-bin/cvekey.cgi?keyword=SVN)</font>
<br>
<br><font size=2 face="sans-serif">As you can expect, managers want our SCM to be SOX compliant. &nbsp;PVCS claims to be SOX compliant. &nbsp;Is subversion SOX compliant?</font>
<br>
<br><font size=2 face="sans-serif">Regards,</font>
<br>
<br><font size=2 face="sans-serif">Joshua</font>
<br>
<br>
<FONT SIZE=3><BR>
<BR>
*************************************************************************<BR>
PRIVILEGED AND CONFIDENTIAL: This communication, including attachments, is<BR>
for the exclusive use of addressee and may contain proprietary,<BR>
confidential and/or privileged information.  If you are not the intended<BR>
recipient, any use, copying, disclosure, dissemination or distribution is<BR>
strictly prohibited.  If you are not the intended recipient, please notify<BR>
the sender immediately by return e-mail, delete this communication and<BR>
destroy all copies.<BR>
*************************************************************************<BR>
</FONT>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: Is subversion SOX (sarbanes-oxley) compliant?

Posted by David Weintraub <qa...@gmail.com>.

I went through almost all of those issues, and they seem to be either a 
product that can integrate with Subversion (like Fedora) or a vurnerability 
that has already been fixed in Subversion.

It also appears that Apache may be more secure than svnserve since the 
exploits that were in Subverison itself were from svnserve and not Apache.

It appears, like in most OpenSource software, when a vunerability is found, 
it is quickly patched. None of these vunerabilities affect Subversion
1.12or higher. Subversion should be fairly secure. Is it bullet proof?
Probably
not, but when a vunerability is found, if history is any guide, it will be 
quickly patched.

You might want to run Apache instead of svnserve if you feel that will make 
your archives more secure. Maybe using https instead of plain http. Even ssh 
w/ svnserve should be pretty secure.

As others pointed oux, SOX compliance has to do with processes, but it looks 
like those processes can be built around Subversion.

On 9/7/05, Joshua.White@hartfordlife.com <Jo...@hartfordlife.com> 
wrote:
> 
> 
> All, 
> 
> I am trying to put together a case to use subversion instead of PVCS at my 
> company (If you could point me to any resources on this, I would appreciate 
> it!) I have been receiving a lot of push back about subversion having 
> security vulnerabilities. See the following: 
> 
> http://secunia.com/ (http://secunia.com/search/?search=SVN) 
> or 
> http://www.cve.mitre.org/ (
> http://www.cve.mitre.org/cgi-bin/cvekey.cgi?keyword=SVN) 
> 
> As you can expect, managers want our SCM to be SOX compliant. PVCS claims 
> to be SOX compliant. Is subversion SOX compliant? 
> 
> Regards, 
> 
> Joshua 
> 
> 
> 
> *************************************************************************
> PRIVILEGED AND CONFIDENTIAL: This communication, including attachments, is
> for the exclusive use of addressee and may contain proprietary,
> confidential and/or privileged information. If you are not the intended
> recipient, any use, copying, disclosure, dissemination or distribution is
> strictly prohibited. If you are not the intended recipient, please notify
> the sender immediately by return e-mail, delete this communication and
> destroy all copies.
> *************************************************************************
>  --------------------------------------------------------------------- To 
> unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org For 
> additional commands, e-mail: users-help@subversion.tigris.org 

-- 
--
David Weintraub
qazwart@gmail.com

Re: Is subversion SOX (sarbanes-oxley) compliant?

Posted by Frank Gruman <fg...@verizon.net>.

Daniel Berlin wrote:

>On Wed, 2005-09-07 at 12:36 -0400, Joshua.White@hartfordlife.com wrote:
>  
>
>>All, 
>>
>>I am trying to put together a case to use subversion instead of PVCS
>>at my company  (If you could point me to any resources on this, I
>>would appreciate it!)  I have been receiving a lot of push back about
>>subversion having security vulnerabilities.  See the following: 
>>
>>http://secunia.com/ (http://secunia.com/search/?search=SVN) 
>>or 
>>http://www.cve.mitre.org/
>>(http://www.cve.mitre.org/cgi-bin/cvekey.cgi?keyword=SVN) 
>>
>>As you can expect, managers want our SCM to be SOX compliant.  PVCS
>>claims to be SOX compliant.  Is subversion SOX compliant? 
>>    
>>
>
>
>This question is non-sensible, since SOX is not about what products you
>use, but about the processes and controls in place.
>
>You can certainly be SOX compliant using Subversion, if you wanted to.
>--Dan
>
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
>For additional commands, e-mail: users-help@subversion.tigris.org
>
>
>  
>
Daniel is right.  My company just went through a SOX audit a couple 
months ago. 

SOX really has no rules about what you can and cannot use as long as you 
have the proper access and policy controls in place.  This does include 
access to intellectual property (software code), and the security 
vulnerabilities you mention could have been considered valid at one 
time.  But those items were all addressed in the code already.  The 
three listed on mitre.org all referenced items in the 1.0.x line of 
code, and all were fixed in early 1.1.x code.  So security is definitely 
a priority with this product, and they release patches quickly after 
finding or being made aware of vulnerabilities.  It's software.  Someone 
will always be able to find a way to exploit it somehow.

If you really want a statement of SOX compliance, create one yourself.  
The Good Book details steps to ensure security of the system as well as 
ensuring that all changes made to files in that code are tracked.  
Backup solutions are recommended.  That is the documentation part of 
SOX.  Now you just need to follow through and implement those 
recommendations, and you could very easily be considered SOX compliant.  
THAT is the same thing that PVCS is doing.

And as for passing a SOX audit - good luck.  My experience is that your 
compliance is a subjective decision made by whatever contractor/auditor 
comes in to do it.  There is no black and white to it.

Hope that helps.

Regards,
Frank

Re: Is subversion SOX (sarbanes-oxley) compliant?

Posted by Daniel Berlin <db...@dberlin.org>.

On Wed, 2005-09-07 at 12:36 -0400, Joshua.White@hartfordlife.com wrote:
> 
> All, 
> 
> I am trying to put together a case to use subversion instead of PVCS
> at my company  (If you could point me to any resources on this, I
> would appreciate it!)  I have been receiving a lot of push back about
> subversion having security vulnerabilities.  See the following: 
> 
> http://secunia.com/ (http://secunia.com/search/?search=SVN) 
> or 
> http://www.cve.mitre.org/
> (http://www.cve.mitre.org/cgi-bin/cvekey.cgi?keyword=SVN) 
> 
> As you can expect, managers want our SCM to be SOX compliant.  PVCS
> claims to be SOX compliant.  Is subversion SOX compliant? 


This question is non-sensible, since SOX is not about what products you
use, but about the processes and controls in place.

You can certainly be SOX compliant using Subversion, if you wanted to.
--Dan




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: Is subversion SOX (sarbanes-oxley) compliant?

Posted by Mark Phippard <Ma...@softlanding.com>.

Joshua.White@hartfordlife.com wrote on 09/07/2005 12:36:14 PM:

> I am trying to put together a case to use subversion instead of PVCS at 
my 
> company  (If you could point me to any resources on this, I would 
appreciate 
> it!)  I have been receiving a lot of push back about subversion having 
> security vulnerabilities.  See the following: 
> 
> http://secunia.com/ (http://secunia.com/search/?search=SVN) 
> or 
> http://www.cve.mitre.org/ 
(http://www.cve.mitre.org/cgi-bin/cvekey.cgi?keyword=SVN) 
> 
> As you can expect, managers want our SCM to be SOX compliant.  PVCS 
claims to 
> be SOX compliant.  Is subversion SOX compliant? 

Our company provides an SCM solution in the OS/400 space.  We used to sell 
PVCS to our customers, now we have our own solution built around 
Subversion. 

1)  Security

Keep in mind that proprietary apps like PVCS are not going to have their 
vulnerabilities published, that does not mean they are more secure. 
Indeed, for anyone to use PVCS they used to have to have full access to 
the archives, which means they could be deleted or otherwise modified 
without PVCS knowing about it.  Newer version now have a server option 
that resolves this issue if you choose to use it.  I think that is just to 
give some perspective.

2)  SOX

We do a lot with SOX.  A product cannot be SOX compliant or make you SOX 
compliant simply by owning it.  Only YOU and your PROCESSES can be SOX 
compliant.  Subversion can certainly be used to establish a SOX compliant 
process.  That being said, PVCS certainly has support for finer-grained 
ACL's than Subversion does out of the box.  There are excellent hook 
scripts available for Subversion that can get you everything you should 
need and more.

Mark




_____________________________________________________________________________
Scanned for SoftLanding Systems, Inc. by IBM Email Security Management Services powered by MessageLabs. 
_____________________________________________________________________________

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org