Whos responsible here?

zig · 08-12-2013 12:17pm #1

Hi,
There is something Im curious of,
I work for a small growing web development company,

We took on a project that where there is a section of the code that works with an app, this code wasnt written by us and is supported by another developer.

We host the site, and use a secure key to access our server.

We are fairly tight on security and approve every IP address of clients when we set up FTP details for them to access their site.

The issue is, this other developer doesnt have a static IP address, so almost daily we need to add their IP address.

This is becoming increasingly frustrating for both us and him. The client is also getting pissed off because that developer cant support his section instantly.

This developer said they cant get a static IP.

Im of the thinking that this is not our problem but Im not sure.

Just wondering what are your thoughts?

Colonel Panic · 08-12-2013 12:58pm

I don't think any of us can say who is responsible.

I'm surprised his IP would change so often. Is he using mobile broadband? Dialup? Remote working?

Anyway, limiting access by IP address is all well and good but how about SFTP and key authentication to control who has access? You mention FTP, as in a totally unencrypted protocol. With SFTP, you'd control access and stop the NSA from snooping

rovoagho · 08-12-2013 1:07pm

True, your clients should be using SFTP. It's not like the old days when it was a bit arcane, setting up an SFTP connection in an FTP client is as simple as setting up an FTP account.

Responsibility doesn't really come into out with the developer, you either need to take them at their word and come up with a workaround, or drop them. Can you not set them up with VPN access, or a simple tunnel?

msq · 08-12-2013 7:15pm

Maybe it is a good time to review your change management and go-live policy? Can't see the point of external developer accessing production environment (if I got it right).
Give him secured access to avn or git, to dev server and that should be sufficient for all of you.

oscarBravo · 08-12-2013 7:45pm

^ this

The company that maintain our website wanted FTP access to our web server. I told them it would be a cold day in hell before I'd run FTP on our live web server. They have write access via SSH to a mercurial repository I control, and they push changes to it. When I've reviewed the changes, I pull them from there to the web server.

jester77 · 09-12-2013 11:56am

If you want to keep it cleanish, you could add his code repo to your code base using a submodule. It's the most elegant of solutions but it would keep both code bases separate.

When the other party is ready for release they can inform you and you update their submodule reference on the live system.

jimmycrackcorm · 09-12-2013 1:17pm

Create vpn access for him to access your own internal site. Even logmein hamachi is free. Then you manage the actual release.

srsly78 · 09-12-2013 1:42pm

As suggested, use vpn or generate a keypair for each customer. For my remote work, I vpn connect to customers lan - then I use my private key for my version control access.

White listing IP addresses is not really proper security. Also as others have suggested, surely FTP is a misprint? You don't actually use that right?

Having different IP address is completely normal, some people work using a laptop from cafés or from home or Thailand or wherever.

zig · 11-12-2013 12:55pm

Thanks everyone, some good suggestions here, and yes I think we may have to review our overall process for situations like this.

Whos responsible here?

Comments