JP2011059847A - Program release management system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To effectively prevent unauthorized release by a malicious developer while entrusting a final release operation to a developer. <P>SOLUTION: A release management system 10 includes: a network connection storage 26 equipped with a storage device divided into a development side region 38 and a production side region 40 and a control part 36; a developer terminal 12; an approver terminal 14; a librarian terminal 16; a release terminal 18; a production unit 34; a transfer server 24; and a release server 32. The transfer server 24 issues a command to transfer a specific program stored in a development side region 38 to a production side region 40 to the control part 36 based on a command input from the librarian terminal 16. A release server 32 issues the command to obtain the program stored in the production side region 40 to the control part 36 based on the command input from the release terminal 18, and transfers the obtained program to the production unit 34. <P>COPYRIGHT: (C)2011,JPO&INPIT

Description

  The present invention relates to a program release management system, and more particularly to a technique that can effectively prevent the release of a malicious program by a malicious developer while leaving the choice of the release time of the program to the developer.

  In the development of a large-scale system, it is indispensable to move a large number of completed program modules to the production environment. Of course, it takes a lot of time and effort, but the difference between the old and new versions, It was also a hotbed for various human error.

In order to improve such a situation, a program management system described in Patent Document 1 has already been proposed.
This program management system automatically shifts the release management of programs that were previously done on a paper basis to a computer system that uses a database, and automatically implements development programs that were manually performed on the production machine. Since it also has a function to do so, it becomes possible to reduce the burden on the developer and human error.
JP 2002-287969 A

  However, in the case of the program management system of Patent Document 1, the approver checks whether or not all tests have been completed for the program stored in the temporary registration place by the developer, and the approval information is provided by the approver. Since the property management function automatically moves the program to the main registration location when it is entered into the system, there is a problem that the time of the actual release cannot be controlled flexibly.

In other words, it is not uncommon for the release timing to change from time to time for the convenience of the client company, and the final release timing is usually adjusted by the developer as a contact. For this reason, the developer wants to realize the final release by his own operation, while only preparing for the release in advance.
Like the program management system described above, when the approval information by the approver is automatically released, it is inconvenient because the developer's hope cannot be fulfilled.

On the other hand, instead of releasing the program immediately after approval by the approver, keep it in a temporary registration location until the required time arrives, and leave the final release to the developer. This time, there are concerns about security issues.
In other words, the developer can freely access the temporary registration location, so if an approved program stored in the temporary registration location is replaced by an unauthorized one by a malicious developer, it will be transferred to the production environment as it is. There is a danger.

  For example, each time an electronic payment is made by a member of an EC site, if a falsification module that incorporates logic to transfer the amount of money to the developer's account is stored in a temporary registration location, the falsification module is activated at the same time as the service in the EC site Unauthorized remittance will be started.

  In recent years, with the development of the so-called Japanese version of the SOX law, there has been a need for strengthening internal control of companies, and it has begun to point out the importance of ensuring a system that can prevent fraud by system developers. Yes.

  The present invention has been devised to solve such a current problem, and it is possible to effectively prevent unauthorized release by a malicious developer while entrusting the final release operation to the developer himself. The purpose is to provide a management system.

In order to achieve the above object, a program release management system according to claim 1 includes a storage device partitioned by a development side area and a production side area, a network connection storage having a control unit, and a program developer operating the program release management system. The developer terminal to be operated, the approver terminal operated by the approver of the program, the librarian terminal operated by the librarian belonging to a department independent of the department to which the developer and the approver belong, and the release operated by the developer A command for transferring a specific program file stored in the development side area to the production side area based on a command input from the terminal, the production machine where the developed program is released, and the librarian terminal. Based on the transfer server issued to the network-attached storage and the command input from the release terminal And issuing a command for acquiring the program file stored in the production-side area to the network-connected storage, and a release server for transferring the acquired program file to the production machine, the network-connected storage The control unit performs the following processes (1) to (3).
(1) Permit access to the developer side area from the developer terminal, approver terminal and transfer server.
(2) In response to the command from the transfer server, the program file stored in the development area is moved to the production area.
(3) Upon receiving a command from the release server, the program file stored in the production area is transferred to the release server.

  The program release management system according to claim 2 is the system according to claim 1, further comprising a proxy server interposed between the librarian terminal and the transfer server. A command is issued to the transfer server via the proxy server, and an access monitoring server is interposed between the release terminal and the release server. The release terminal issues a command to the release server via the access monitoring server. The proxy server and the access monitoring server have a function of recording an access log.

  The program release management system according to claim 3 is the system according to claim 2, and further includes at least a development segment, a production access segment, a DMZ segment, and a production segment as mutually independent network segments. The developer terminal, approver terminal, and librarian terminal belong to the development segment, the release terminal belongs to the production access segment, and the proxy server, transfer server, and access monitoring server belong to the DMZ segment. The production machine and release server belong to the production segment, the development side area of the network connection storage is connected to the development side segment, the production side area is connected to the DMZ segment, and the access destination of the release terminal is Access monitoring above A firewall that fulfills the function of limiting the access destination of the access monitoring server to the release server and the function of limiting the access source to the production area of the network-connected storage to the release server. It is a feature.

According to a fourth aspect of the present invention, there is provided a program release management system comprising: a storage device partitioned in a development side area and a production side area; a network connection storage including a control unit; a developer terminal operated by a program developer; Approver terminal operated by the approver, release terminal operated by the developer, production machine from which the developed program is released, and target program specific information included in the application data transmitted from the developer terminal And the specific information of the target program included in the approval data sent from the above approver terminal, and if both match, issue a command to transfer the target program from the development side area to the production side area Based on the command issuing server to be executed and the command from this command issuing server, A transfer server that issues a command for transferring a ram file to the production-side area to the network-connected storage, and a program file stored in the production-side area based on a command input from the release terminal. It is composed of a release server that issues commands to the network-attached storage and transfers the acquired program file to the production machine, and the controller of the network-attached storage executes the following processes (1) to (3) It is characterized by doing.
(1) Permit access to the developer-side area from the developer terminal and approver terminal.
(2) In response to the command from the transfer server, the program file stored in the development area is moved to the production area.
(3) Upon receiving a command from the release server, the program file stored in the production area is transferred to the release server.

According to the program release management system of the first aspect, after the program file is transferred from the development side area of the network-attached storage to the production side area based on the command from the transfer server, the program release management system is based on the command from the release server. Unless it is transferred to the production machine, it is forbidden to manipulate the program file at all, so the developer cannot tamper with the contents.
On the other hand, the developer can issue the command from the release terminal to the release server to transfer the program file stored in the production area to the production machine. Control becomes possible.

In this system, the approver accesses the development side area of the network-attached storage from the approver terminal, confirms that no illegal logic is mixed in the developed program file, and transfers the program file to the librarian. Give approval. At this time, the approver transmits specific information such as the file name, file size, and time stamp of the program file to the librarian.
Upon receiving this, the librarian accesses the transfer server, checks the list of program files stored in the development area on the display of the librarian terminal, and approves based on the file name, file size, and timestamp. Specify the downloaded program file and issue a command to request its transfer.
In this way, the approver communicates the program file specific information stored in the development area to the librarian, and the librarian selects the program file to be transferred based on this information, so that the approver approves it. Immediately after the completion of the transfer to the production side area, it is possible to restrain the developer from falsifying the program file stored in the development side area with changing the file size and time stamp. it can.

  In the program release management system according to claim 2, data exchange between the librarian terminal and the transfer server is recorded in the proxy server one by one, and data exchange between the release terminal and the release server is recorded in the access monitoring server one by one. Therefore, it is possible to suppress fraud by librarians and developers.

  In the program release management system according to claim 3, a DMZ segment functioning as a buffer zone is provided between the development segment and the production segment, and the development segment and the production access segment directly connect to the production segment. Since access is regulated by a firewall, fraudulent acts on the production machine can be prevented more effectively.

  In the case of the program release management system according to claim 4, the command issuing server matches the application data and the approval data, and when both match, the program file transfer command is automatically issued to the transfer server. Since it is provided, it becomes possible to realize the processing efficiency.

  FIG. 1 is a network configuration diagram showing the overall configuration of a program release management system 10 according to the present invention. A developer terminal 12 operated by a developer, an approver terminal 14 operated by an approver, and a librarian operation. The librarian terminal 16, the release terminal 18 operated by the developer, the development machine 20 on which the program under development is installed, the proxy server (proxy server) 22, the transfer server 24, and the network attached storage (NAS) 26, an access monitoring server 28, a firewall 30, a release server 32, and a production machine 34 on which a developed program is installed.

  The network connection storage 26 includes a control unit 36, a development side area 38, and a production side area 40. The control unit 36 is realized by the CPU of the network connection storage 26 operating according to the OS and the control program stored in the ROM. The development side area 38 and the production side area 40 are composed of hard disks mounted on the network connection storage 26, and are logically partitioned by the control unit 36. The development side area 38 is connected to the development segment 42 via the control unit 36. The production-side area 40 is connected to a DMZ (DeMilitarized Zone) segment 44 via the control unit 36.

  Generally, a network connection storage (NAS) has a plurality of connection ports for network cables. Usually, in order to improve fault tolerance, it is used to take a redundant configuration in which a plurality of network cables are connected to the same segment. In this embodiment, one of the network cables is connected to the development segment 42 and the other is connected to the other segment. By connecting to the DMZ segment 44, the network-attached storage 26 has been successfully placed at the above position.

The developer terminal 12, the approver terminal 14, the librarian terminal 16, and the development machine 20 described above are installed on the development segment.
The proxy server 22, transfer server 24, and access monitoring server 28 are installed on the DMZ segment 44.
The release terminal 18 is installed on the production access segment 48.
The release server 32 and the production machine 34 are installed on the production segment 51.

  Instead of installing the access monitoring server 28 on the DMZ segment 44 as described above, the access monitoring server 28 may be installed on the path between the actual access segment 48 and the firewall 30 (position α in the figure).

The program developer uses the developer terminal 12 to code the program, completes the unit test and the integration test on the development machine 20, and then stores the program object file in the development side area 38 of the network connection storage 26. .
Next, the developer informs the approver who is a direct manager or the like that the developed program file is stored in the development side area 38 of the network connection storage 26.

Upon receiving the request, the approver accesses the network connection storage 26 from the approver terminal 14 and reads the corresponding program file stored in the development area 38.
Next, the approver checks the contents of this program file and confirms that it has the functions according to the specifications, that all specified test items have been cleared, and that no illegal modules are included. To do.
As a result, the approver who has determined that there is no problem notifies the developer of the approval.

Upon receiving the request, the developer creates an application form 46 for requesting the transfer of the program to the production area 40 and submits it to the librarian.
Here, the librarian means a profession belonging to a third party that is completely independent from the department to which the developer or approver belongs.
In the above application form, the file name, file size, storage location (directory in the development area 38), time stamp (storage date and time), etc. of the developed program file are described.

  Before and after this, the approver also creates an approval form 47 that permits the transfer of the program and submits it to the librarian. In this approval document, the file name, file size, storage location (directory in the development side area), time stamp (storage date and time), etc. of the approved program file are described.

The librarian who receives the application form and approval form compares the contents of both documents, confirms that the file name, file size, storage location, and time stamp match, and then proceeds to the program file transfer procedure. To do.
The program file transfer procedure in the system 10 will be described below with reference to the timing chart of FIG.

  First, the librarian accesses the proxy server 22 from the librarian terminal 16 and issues a transfer request command (S10). This transfer request command includes the IP address of the librarian terminal 16, the file name of the program file to be transferred, and the storage location.

Upon receiving this, the proxy server 22 checks that the IP address included in the transfer request command matches the IP address of the librarian terminal 16 set in advance (S12), and then sends the transfer request command to the transfer server. The data is transferred to 24 (S14).
Thereafter, the proxy server 22 records data exchange with the librarian terminal 16 in a log file (S16).
Only the librarian terminal 16 can authenticate the proxy server 22, and even if accessed from the developer terminal 12 and the approver terminal 14, the proxy server 22 determines that authentication is not possible.

  Upon receiving the transfer request command, the transfer server 24 checks that the IP address included in the transfer request command matches the preset IP address of the proxy server 22 (S18), and then transfers the transfer request command to the network. It is issued to the connected storage 26 (S20).

Receiving this, the control unit 36 of the network connection storage 26 checks that the IP address included in the transfer command matches the IP address of the transfer server 24 set in advance (S22), and then the corresponding program file. Is transferred from the development area 38 to the production area 40 (S24).
After the transfer is completed, a transfer completion notification is transmitted from the network connection storage 26 → transfer server 24 → proxy server 22 → librarian terminal 16 (S26, S28, S30).

As will be described later, the program file once transferred to the production side area 40 is not accepted except for the transfer command from the release server 32, and from the developer terminal 12, the approver terminal 14, and the librarian terminal 16. Access is completely denied by the control unit 36.
For this reason, a malicious developer cannot embed an unauthorized module in a program file before release.

When the librarian issues a transfer request command to the transfer server 24 via the proxy server 22, the list information of the program files stored in a specific directory in the development side area 38 is transferred from the transfer server 24 via the proxy server 22. Is transmitted to the librarian terminal 16.
The librarian, on the other hand, looks at the list of program files displayed on the display and confirms whether the time stamp and file size of the target program file match those described in the approval form 47. Issue a transfer request command.
As a result, immediately after approval by the approver and until transfer to the production side area 40 is completed, the developer altered the program file stored in the development side area 38 with a change in file size or time stamp. Even if an act is performed, this can be detected before transfer, and unauthorized release can be effectively prevented.

  Next, a procedure for releasing a program file in the system 10 will be described with reference to the timing chart of FIG.

  First, the developer moves to the glass-covered release terminal room 49, accesses the access monitoring server 28 from the release terminal 18 installed therein, and issues a release request command (S32).

Receiving this, the access monitoring server 28 checks that the IP address included in the release request command matches the preset IP address of the release terminal 18 (S34), and then transfers the release request command to the release server 32. (S36).
Thereafter, the access monitoring server 28 records the exchange of data with the release terminal 18 in a log file (S38).

  Upon receiving the release request command from the access monitoring server 28, the release server 32 checks that the IP address included in the release request command matches the preset IP address of the access monitoring server 28 (S40). The transfer request of the corresponding program file is transmitted to the network connection storage 26 (S42).

  In response to this, the control unit 36 of the network-connected storage 26 checks that the IP address included in the program transfer request matches the preset IP address of the release server 32 (S44), and then loads the corresponding program file. It is taken out from the production side area 40 and transferred to the release server 32 (S46).

Receiving this, the release server 32 transfers the program file to a predetermined directory of the production machine 34 (S48). As a result, the release of the program file for the production machine 34 is completed (S50).
Thereafter, a release completion notification (e-mail) 50 is transmitted from the release server 32 to the e-mail address of the librarian.

Upon receiving this, the librarian confirms that the program file transferred by the librarian is reflected in the production machine 34, and manages the entire release management.
If the release date is not released to the production machine 34 even after the scheduled release date, the status is confirmed with the developer, and a command for deleting the program file transferred to the production side area 40 is issued when the release is postponed or canceled. If the developer wants to release the deleted program file again, the developer starts over with the application form.

Due to the filtering function of the firewall 30, the release terminal 18 can send a release request command to the release server 32 only via the access monitoring server 28, and cannot send it directly.
Since access logs are recorded one by one in the access monitoring server 28, it is impossible for a malicious developer to release an unauthorized program to the production machine 34 via the release terminal 18.

  In the above, the librarian visually matches the description contents of the application form 46 submitted by the developer with the description contents of the approval form 47 submitted by the approver, and the contents (file name, file size, timestamp) Shows an example in which a transfer request command is issued from the librarian terminal 16 to the proxy server 22 after confirming that the developer is completely matched and has not been tampered with by the developer. It is also possible to automate the issuance of transfer request commands.

FIG. 4 shows a system configuration example in this case, and is not different from the system configuration example of FIG. 1 except that a command issuing server 52 is provided on the development segment 42.
In this case, the developer accesses the command issuing server 52 from the developer terminal 12 via the network and transmits application data 54. The application data 54 includes at least the file name, time stamp, and size of the program. Further, the approver accesses the command issuing server 52 from the approver terminal 14 via the network and transmits the approval data 56. This approval data 56 also includes at least the file name, time stamp, and size of the program.

The processing procedure of the command issuing server 52 will be described below with reference to the flowchart of FIG.
First, when receiving the application data 54 from the developer terminal 12 and the approval data 56 from the approver terminal 14 (S60, S62), the command issuing server 52 compares the application data with the approval data (S64), and the file name If the time stamp and size match (S66 / Y), a command issue confirmation screen is displayed on the display of the librarian terminal 16 (S70). Although not shown, the confirmation screen lists the description content of the application data 54 and the description content of the approval data 56.

On the other hand, when the librarian clicks the confirmation button on the screen (S72 / Y), the command issuing server 52 issues a transfer request command to the proxy server 22 (S74).
After that, the target program file is transferred from the development side area 38 of the network connection storage 26 to the production side area 40 in accordance with the procedure shown in FIG.

If the contents of the application data 54 and the approval data 56 do not match (S66 / N), an error screen is displayed on the display of the librarian terminal 16 (S68).
On this error screen, the data items that do not match are highlighted, and the librarian contacts the developer and approver to confirm the facts regarding the location.

  If the file name, time stamp, and size match, the command issue confirmation screen is displayed on the display of the librarian terminal 16 as described above, and the transfer request is immediately requested without waiting for the confirmation input by the librarian. The command issuing server 52 may be controlled to issue a command.

It is a network block diagram which shows the whole structure of the program release management system concerning this invention. It is a timing chart which shows the procedure at the time of transferring a program file from the development side area | region of a network connection storage to a production | generation side area | region. It is a timing chart which shows the procedure at the time of releasing the program file stored in the production side area of the network connection storage to the production machine. It is a network block diagram which shows the other structural example of the program release management system which concerns on this invention. It is a flowchart which shows the operation | movement procedure of a command issuing server.

10 Program release management system
12 Developer terminal
14 Approver terminal
16 Librarian terminal
18 Release terminal
20 Development machine
22 Proxy server
24 Transfer server
26 Network attached storage
28 Access monitoring server
30 Firewall
32 release server
34 Production machine
36 Control unit
38 Development side
40 Production area
42 Development segment
44 DMZ segment
46 Application Form
47 Approval Form
48 Production access segment
49 Release terminal room
51 Production segment
52 Command issuing server
54 Application data
56 Approval data

Claims (4)

A network-attached storage with a storage device and a control unit partitioned into a development-side area and a production-side area;
A developer terminal operated by the program developer,
An approver terminal operated by the approver of the program,
A librarian terminal operated by a librarian belonging to a department independent of the department to which the developer and approver belong;
A release terminal operated by the developer,
The production machine where the developed program will be released,
A transfer server that issues a command for transferring a specific program file stored in the development-side area to the production-side area to the network-connected storage based on a command input from the librarian terminal;
A release server that issues a command for acquiring a program file stored in the production-side area to the network-connected storage based on a command input from the release terminal and transfers the acquired program file to the production machine And consists of
A program release management system, wherein the control unit of the network-attached storage executes the following processes (1) to (3).
(1) Permit access to the developer side area from the developer terminal, approver terminal and transfer server.
(2) In response to the command from the transfer server, the program file stored in the development area is moved to the production area.
(3) Upon receiving a command from the release server, the program file stored in the production area is transferred to the release server. A proxy server is interposed between the librarian terminal and the transfer server, and the librarian terminal issues a command to the transfer server via the proxy server,
An access monitoring server is interposed between the release terminal and the release server, and the release terminal issues a command to the release server via the access monitoring server.
The program release management system according to claim 1, wherein the proxy server and the access monitoring server have a function of recording an access log. As a network segment independent from each other, it has at least a development segment, production access segment, DMZ segment, production segment,
The above developer terminal, approver terminal and librarian terminal belong to the development segment,
The above release terminal belongs to the production access segment,
The proxy server, transfer server, and access monitoring server belong to the DMZ segment.
The above production machine and release server belong to the production segment,
The development side area of the network attached storage is connected to the development side segment, and the production side area is connected to the DMZ segment.
A function for limiting the access destination of the release terminal to the access monitoring server, a function for limiting the access destination of the access monitoring server to the release server, and limiting an access source to the production area of the network-connected storage to the release server The program release management system according to claim 2, further comprising a firewall that performs a function. A network-attached storage with a storage device and a control unit partitioned into a development-side area and a production-side area;
A developer terminal operated by the program developer,
An approver terminal operated by the approver of the program,
A release terminal operated by the developer,
The production machine where the developed program will be released,
The target program specific information included in the application data transmitted from the developer terminal is compared with the target program specific information included in the approval data transmitted from the approver terminal. A command issuing server that issues a command requesting transfer of the program from the development side area to the production side area;
Based on the command from this command issuing server, a transfer server that issues a command for transferring the program file stored in the development side area to the production side area to the network connection storage;
A release server that issues a command for acquiring a program file stored in the production-side area to the network-connected storage based on a command input from the release terminal and transfers the acquired program file to the production machine And consists of
A program release management system, wherein the control unit of the network-attached storage executes the following processes (1) to (3).
(1) Permit access to the developer-side area from the developer terminal and approver terminal.
(2) In response to the command from the transfer server, the program file stored in the development area is moved to the production area.
(3) Upon receiving a command from the release server, the program file stored in the production area is transferred to the release server.

Images