You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Jo...@hartfordlife.com on 2005/09/07 16:36:14 UTC
Is subversion SOX (sarbanes-oxley) compliant?
<br><font size=2 face="sans-serif">All,</font>
<br>
<br><font size=2 face="sans-serif">I am trying to put together a case to use subversion instead of PVCS at my company (If you could point me to any resources on this, I would appreciate it!) I have been receiving a lot of push back about subversion having security vulnerabilities. See the following:</font>
<br>
<br><font size=2 face="sans-serif">http://secunia.com/ (http://secunia.com/search/?search=SVN)</font>
<br><font size=2 face="sans-serif">or</font>
<br><font size=2 face="sans-serif">http://www.cve.mitre.org/ (http://www.cve.mitre.org/cgi-bin/cvekey.cgi?keyword=SVN)</font>
<br>
<br><font size=2 face="sans-serif">As you can expect, managers want our SCM to be SOX compliant. PVCS claims to be SOX compliant. Is subversion SOX compliant?</font>
<br>
<br><font size=2 face="sans-serif">Regards,</font>
<br>
<br><font size=2 face="sans-serif">Joshua</font>
<br>
<br>
<FONT SIZE=3><BR>
<BR>
*************************************************************************<BR>
PRIVILEGED AND CONFIDENTIAL: This communication, including attachments, is<BR>
for the exclusive use of addressee and may contain proprietary,<BR>
confidential and/or privileged information. If you are not the intended<BR>
recipient, any use, copying, disclosure, dissemination or distribution is<BR>
strictly prohibited. If you are not the intended recipient, please notify<BR>
the sender immediately by return e-mail, delete this communication and<BR>
destroy all copies.<BR>
*************************************************************************<BR>
</FONT>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Is subversion SOX (sarbanes-oxley) compliant?
Posted by David Weintraub <qa...@gmail.com>.
I went through almost all of those issues, and they seem to be either a
product that can integrate with Subversion (like Fedora) or a vurnerability
that has already been fixed in Subversion.
It also appears that Apache may be more secure than svnserve since the
exploits that were in Subverison itself were from svnserve and not Apache.
It appears, like in most OpenSource software, when a vunerability is found,
it is quickly patched. None of these vunerabilities affect Subversion
1.12or higher. Subversion should be fairly secure. Is it bullet proof?
Probably
not, but when a vunerability is found, if history is any guide, it will be
quickly patched.
You might want to run Apache instead of svnserve if you feel that will make
your archives more secure. Maybe using https instead of plain http. Even ssh
w/ svnserve should be pretty secure.
As others pointed oux, SOX compliance has to do with processes, but it looks
like those processes can be built around Subversion.
On 9/7/05, Joshua.White@hartfordlife.com <Jo...@hartfordlife.com>
wrote:
>
>
> All,
>
> I am trying to put together a case to use subversion instead of PVCS at my
> company (If you could point me to any resources on this, I would appreciate
> it!) I have been receiving a lot of push back about subversion having
> security vulnerabilities. See the following:
>
> http://secunia.com/ (http://secunia.com/search/?search=SVN)
> or
> http://www.cve.mitre.org/ (
> http://www.cve.mitre.org/cgi-bin/cvekey.cgi?keyword=SVN)
>
> As you can expect, managers want our SCM to be SOX compliant. PVCS claims
> to be SOX compliant. Is subversion SOX compliant?
>
> Regards,
>
> Joshua
>
>
>
> *************************************************************************
> PRIVILEGED AND CONFIDENTIAL: This communication, including attachments, is
> for the exclusive use of addressee and may contain proprietary,
> confidential and/or privileged information. If you are not the intended
> recipient, any use, copying, disclosure, dissemination or distribution is
> strictly prohibited. If you are not the intended recipient, please notify
> the sender immediately by return e-mail, delete this communication and
> destroy all copies.
> *************************************************************************
> --------------------------------------------------------------------- To
> unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org For
> additional commands, e-mail: users-help@subversion.tigris.org
--
--
David Weintraub
qazwart@gmail.com
Re: Is subversion SOX (sarbanes-oxley) compliant?
Posted by Frank Gruman <fg...@verizon.net>.
Daniel Berlin wrote:
>On Wed, 2005-09-07 at 12:36 -0400, Joshua.White@hartfordlife.com wrote:
>
>
>>All,
>>
>>I am trying to put together a case to use subversion instead of PVCS
>>at my company (If you could point me to any resources on this, I
>>would appreciate it!) I have been receiving a lot of push back about
>>subversion having security vulnerabilities. See the following:
>>
>>http://secunia.com/ (http://secunia.com/search/?search=SVN)
>>or
>>http://www.cve.mitre.org/
>>(http://www.cve.mitre.org/cgi-bin/cvekey.cgi?keyword=SVN)
>>
>>As you can expect, managers want our SCM to be SOX compliant. PVCS
>>claims to be SOX compliant. Is subversion SOX compliant?
>>
>>
>
>
>This question is non-sensible, since SOX is not about what products you
>use, but about the processes and controls in place.
>
>You can certainly be SOX compliant using Subversion, if you wanted to.
>--Dan
>
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
>For additional commands, e-mail: users-help@subversion.tigris.org
>
>
>
>
Daniel is right. My company just went through a SOX audit a couple
months ago.
SOX really has no rules about what you can and cannot use as long as you
have the proper access and policy controls in place. This does include
access to intellectual property (software code), and the security
vulnerabilities you mention could have been considered valid at one
time. But those items were all addressed in the code already. The
three listed on mitre.org all referenced items in the 1.0.x line of
code, and all were fixed in early 1.1.x code. So security is definitely
a priority with this product, and they release patches quickly after
finding or being made aware of vulnerabilities. It's software. Someone
will always be able to find a way to exploit it somehow.
If you really want a statement of SOX compliance, create one yourself.
The Good Book details steps to ensure security of the system as well as
ensuring that all changes made to files in that code are tracked.
Backup solutions are recommended. That is the documentation part of
SOX. Now you just need to follow through and implement those
recommendations, and you could very easily be considered SOX compliant.
THAT is the same thing that PVCS is doing.
And as for passing a SOX audit - good luck. My experience is that your
compliance is a subjective decision made by whatever contractor/auditor
comes in to do it. There is no black and white to it.
Hope that helps.
Regards,
Frank
Re: Is subversion SOX (sarbanes-oxley) compliant?
Posted by Daniel Berlin <db...@dberlin.org>.
On Wed, 2005-09-07 at 12:36 -0400, Joshua.White@hartfordlife.com wrote:
>
> All,
>
> I am trying to put together a case to use subversion instead of PVCS
> at my company (If you could point me to any resources on this, I
> would appreciate it!) I have been receiving a lot of push back about
> subversion having security vulnerabilities. See the following:
>
> http://secunia.com/ (http://secunia.com/search/?search=SVN)
> or
> http://www.cve.mitre.org/
> (http://www.cve.mitre.org/cgi-bin/cvekey.cgi?keyword=SVN)
>
> As you can expect, managers want our SCM to be SOX compliant. PVCS
> claims to be SOX compliant. Is subversion SOX compliant?
This question is non-sensible, since SOX is not about what products you
use, but about the processes and controls in place.
You can certainly be SOX compliant using Subversion, if you wanted to.
--Dan
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Is subversion SOX (sarbanes-oxley) compliant?
Posted by Mark Phippard <Ma...@softlanding.com>.
Joshua.White@hartfordlife.com wrote on 09/07/2005 12:36:14 PM:
> I am trying to put together a case to use subversion instead of PVCS at
my
> company (If you could point me to any resources on this, I would
appreciate
> it!) I have been receiving a lot of push back about subversion having
> security vulnerabilities. See the following:
>
> http://secunia.com/ (http://secunia.com/search/?search=SVN)
> or
> http://www.cve.mitre.org/
(http://www.cve.mitre.org/cgi-bin/cvekey.cgi?keyword=SVN)
>
> As you can expect, managers want our SCM to be SOX compliant. PVCS
claims to
> be SOX compliant. Is subversion SOX compliant?
Our company provides an SCM solution in the OS/400 space. We used to sell
PVCS to our customers, now we have our own solution built around
Subversion.
1) Security
Keep in mind that proprietary apps like PVCS are not going to have their
vulnerabilities published, that does not mean they are more secure.
Indeed, for anyone to use PVCS they used to have to have full access to
the archives, which means they could be deleted or otherwise modified
without PVCS knowing about it. Newer version now have a server option
that resolves this issue if you choose to use it. I think that is just to
give some perspective.
2) SOX
We do a lot with SOX. A product cannot be SOX compliant or make you SOX
compliant simply by owning it. Only YOU and your PROCESSES can be SOX
compliant. Subversion can certainly be used to establish a SOX compliant
process. That being said, PVCS certainly has support for finer-grained
ACL's than Subversion does out of the box. There are excellent hook
scripts available for Subversion that can get you everything you should
need and more.
Mark
_____________________________________________________________________________
Scanned for SoftLanding Systems, Inc. by IBM Email Security Management Services powered by MessageLabs.
_____________________________________________________________________________
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org