[trustable-software] Git auditing tool
Jim MacArthur
jim.macarthur at codethink.co.uk
Mon Dec 19 14:08:08 UTC 2016
On 18/12/16 11:00, trustable at panic.fluff.org wrote:
> The finaly piece I'd raise here is that the git-audit is a post-action
> review, and in many industries this post-action review would immediately
> cause the imposition of fines. For example with
>
> https://en.wikipedia.org/wiki/BCBS_239
>
> where you would fail the accuracy requirement of something committed
>into production and so be met with fines.
Presumably, though, you'd not be fined for using something like this in
addition to your existing controls? I don't intend to replace existing
means of controlling roles in a project, although I would like to keep
the data in the same place and format, which will need some work.
>
> This sort of issue would again raise it's head for organisations wanting
> to meet ITIL best practice
>
> https://en.wikipedia.org/wiki/ITIL
>
> where the Change Management Board review policy is manadated on any
> configuration item.
>
> This sort of controls will become yet further require with the
>
> https://en.wikipedia.org/wiki/Data_Protection_Directive
>
> where we have to provide reasoning for the use of data sources within
> our systems, so taking it futher back up the development timeline to the
> Business's desire to deliver a solution.
>
> So, I don't belive there is much value in this unless we can find a
> way in which to embed this into the development process itself and
> prevent abarrant transactions during the process.
>
Thank you for the links, which I'll have a read through. It may be
though that this is not useful for tightly controlled development
environments; right now I'm more interested in improving development in
safety and security-critical components which are not so tightly
controlled (e.g. Linux).
Jim
More information about the trustable-software
mailing list