[trustable-software] Fwd: Notes from the call with Robert Seacord

[Robert Seacord]

I don't know anything about OGC or PCI, but the description of the ISO/IEC process is inaccurate.  There used to be a certification for the C standard, and it was run by the individual countries (NIST in the US, BSI in the UK), not by ISO or IEC.  Now there isn't even a certification for the C standard; there is nothing to be lost by anyone.

TS 17961 was published by ISO in 2013, without a certification process, and without being squashed by lawyers.  Static analysis tools have been allowed to exist for much longer than that, without being attacked by the lawyers of any certification organization.

Thanks,
rCs

-----Original Message-----
From: trustable-software [mailto:trustable-software-bounces at lists.veristac.io] On Behalf Of Paul Sherwood
Sent: Friday, November 04, 2016 7:16 AM
To: Discussion about trustable software engineering <trustable-software at lists.veristac.io>
Cc: McCall, Gavin (G.F.) <gavin.mccall at visteon.com>
Subject: Re: [trustable-software] Fwd: Notes from the call with Robert Seacord

I've heard some cynicism expressed privately about this whole idea, for
example:

>  ... organisations such as ISO/IEC, OGC & PCI are the the business of 
> selling compliance certifications. This generates revenue for them. If 
> you automate these things, so they don't need auditing, they get VERY 
> upset that you stole their cheese and quickly try to find ways to 
> remove you from discussions in this arena. On the whole they simply 
> have larger revenue and legal teams than you could fight. The are 
> fundamentally a pyramid selling scheme based upon FUD, while the 
> consultancy companies are a Ponzi Scheme for partners in their firms 
> based on the pyramid selling scheme for their employees.