Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl Monk, Perl Meditation
 
PerlMonks  

Re: Paranoia, NIH, and Beyond

by coreolyn (Parson)
on Jan 10, 2001 at 19:08 UTC ( [id://50921]=note: print w/replies, xml ) Need Help??


in reply to Paranoia, NIH, and Beyond
in thread A Fit on NIH

Where I work security is a huge issue. What I've resolved must be done before CPAN modules can be used in this enviornment is to create an internal CPAN. Which will allow for several things:

    1.) Keep track of who has what versions of which modules on what systems. This has several benefits; Internal points of contact for module usage, Back tracking should a security problem be discovered, revision history, and disaster recovery.

    2.) Allows for new CPAN releases to 'cook' out in the world without forcing established applications to run on a new module version just because CPAN has released an upgrade and they moved to a new server.

    3.) Centralizes perl user's and distribution, which provides internal avenues for problem resolution that is missing from the accepted practices of this organization. (Who does production call when a perl problem arises?)

I'm not paranoid about CPAN, but I view it as an I.V. from which a large organization must design it's own needle. What you say about code review is very true, and no matter how important security is, the type of code review you speak of is impractical. But like Perl, it's capriciousness cannot be left completely unchecked except at ones own level of acceptable risk.

coreolyn

Replies are listed 'Best First'.
PerlDirect from ActiveState May Help
by dave_aiello (Pilgrim) on Jan 10, 2001 at 21:43 UTC
    Don't take what I am saying here as a recommendation, but, I know that ActiveState provides a service called PerlDirect which attempts to address some of these issues. From what I have heard, they do QA on Perl as well as popular modules and bundle them into a special, periodic distribution that is aimed at large corporations.

    I have recommended that this service be evaluated by one of my corporate clients, because they give integration testing tasks to people from a "UNIX Core Group" which knows a great deal more about the core of the Solaris operating system than it does Perl. In situations like the one I am describing, it is often up to the individual development teams to perform extensive unit testing on their finished products because the IT department only certifies the modules that are distributed with Perl itself. Needless to say, this is not an optimal solution.

    Dave Aiello
    Chatham Township Data Corporation

[reply]

In Section Meditations

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://50921]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others examining the Monastery: (5)
As of 2024-04-19 00:53 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found