Your company is selling toys online; the business is supported by an e-commerce web application developed in-house. Alice is the software developer of the development team who is in charge of the online EC system. The latest software release has just been approved by the management and deployed by Bob, who is a member of the operations team and responsible for the system operations. Cherry bumped into an error message, HTTP 500 Internal Server Error, out of the blue, and turned to Alice asking for support. Alice told Cherry she should go for Bob, so much so that Cherry is complaining Alice is irresponsible and pushing things away. As a security professional, which of the following is the best way to deal with this situation?
A. Do nothing. Let Cherry go to Bob for help.
B. Give Alice a soft reminder to be responsible as she is the developer in charge.
C. Escalate the incident to Alice’s supervisor.
D. Notify the human resource department to keep a record of this misconduct.
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is A. Do nothing. Let Cherry go to Bob for help.
Separation of duties
Separation of duties (SoD; also known as Segregation of Duties) is the concept of having more than one person required to complete a task. In business the separation by sharing of more than one individual in one single task is an internal control intended to prevent fraud and error.
There are some good practices to apply in this case:
- Separation of duties
- Service desk
- Awareness and Training
It violates the principle of separation of duties for Alice to handle the incident in the production system operated and maintained by Bob.
Before the incident is analyzed, we don’t know why it happened. Is it an attack, misconfiguration, implementation error, design flaw or software bug? The incident should be reported to the service desk so that it can be analyzed, prioritized, mitigated, dispatched, solved, or escalated.
The organization should provide awareness and training courses so that the incident reporting procedure is understood and followed.
Separation of duties is an interesting topic when it comes to the DevOps in the software development area.
Suggested References for DevOps
- DevOps and Separation of Duties
- Separation of Duties: How to Conform in a DevOps World
- DevOps: Getting Past Audit