[trustable-software] Git auditing tool

Jim MacArthur jim.macarthur at codethink.co.uk
Mon Dec 19 14:08:08 UTC 2016


On 18/12/16 11:00, trustable at panic.fluff.org wrote:
> The finaly piece I'd raise here is that the git-audit is a post-action
> review, and in many industries this post-action review would immediately
> cause the imposition of fines. For example with
>
>     https://en.wikipedia.org/wiki/BCBS_239
>
> where you would fail the accuracy requirement of something committed
>into production and so be met with fines.

Presumably, though, you'd not be fined for using something like this in 
addition to your existing controls? I don't intend to replace existing 
means of controlling roles in a project, although I would like to keep 
the data in the same place and format, which will need some work.

>
> This sort of issue would again raise it's head for organisations wanting
> to meet ITIL best practice
>
>     https://en.wikipedia.org/wiki/ITIL
>
> where the Change Management Board review policy is manadated on any
> configuration item.
>
> This sort of controls will become yet further require with the
>
>    https://en.wikipedia.org/wiki/Data_Protection_Directive
>
> where we have to provide reasoning for the use of data sources within
> our systems, so taking it futher back up the development timeline to the
> Business's desire to deliver a solution.
>
>    So, I don't belive there is much value in this unless we can find a
> way in which to embed this into the development process itself and
> prevent abarrant transactions during the process.
>

Thank you for the links, which I'll have a read through. It may be 
though that this is not useful for tightly controlled development 
environments; right now I'm more interested in improving development in 
safety and security-critical components which are not so tightly 
controlled (e.g. Linux).

Jim




More information about the trustable-software mailing list