[trustable-software] Trustable Software Engineering

Niall Dalton niall.dalton at gmail.com
Wed Jul 20 14:56:07 UTC 2016


On Wed, Jul 20, 2016 at 4:59 AM, Colin Robbins <colin.robbins at qonex.com>
wrote:

> Some markets, recognise the problem, and have approaches to attempt to
> deal with it.
>
> ·         The finance market has put PCI in place to try and build secure
> architectures.
>
> ​<snip>​

The reason I think this is so important, is one size does not fit all.
> Markets behave differently, so solutions need to adjust to what is viable
> within that specific market.  In many cases, it will be market conditions
> that need to change, to force a behaviour change.
>


Taking PCI as the example -- it's certainly not sufficient, and unclear
it's even necessary. Fully PCI complaint organizations have been breached.
What does an org being PCI compliant tell me? Not much really. (Not being
PCI compliant just tells me the org is so bad or so low volume that they
don't even know how to play the game.. so fair enough, we shouldn't touch
them).

So, great, they have a firewall and paid someone to confirm it. To go back
to Paul's point.. can I trust it? Who knows. Ditto on the other 200
bulletpoints. Take the common public clouds. Are they compliant? Yep, they
need to be for commercial reasons, and do their audits etc. Talk with the
technical folks though and the conversation goes like "Yes we're Foo
compliant.. blah blah.. now lets talk about actual security".

Playing the curmudgeon comes naturally so let me roll with it: much as
people have started to assume orgs that tout their "agile" methodologies
can't actually build software.. it's common to assume that teams touting
their security based on compliance with flimsy standards are insecure.

(And PCI has nothing to say on far bigger security risks in the finance,
esp. capital markets. Every trading organization I've seen has been like
swiss cheese despite increasing efforts to "secure" things).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.veristac.io/pipermail/trustable-software/attachments/20160720/cc1c103e/attachment.html>


More information about the trustable-software mailing list