[trustable-software] Trustable Systems:A Chain of Custody
trustable at panic.fluff.org
trustable at panic.fluff.org
Thu Nov 24 08:46:48 UTC 2016
On Tue, 22 Nov 2016, John Lewis wrote:
> Given this lack of maturity, Agile development/Cloud deployment is low
> CMMI (1-2). And for Trustable Systems, a Level 5 is required. I remember
> going to NASA/IBM Houston in 1990 (the first CMMI 5) and being shown the
> paper-based Chain of Custody system they had. The audit team was bigger
> than the Dev team and that raises the issues of checking the CoC (an
> automated tool?) and what happens when it is broken?
I absolutely agree Agile is lacking experience and for a series of
problems other techniques are used. What I'm experiencing is that people
are using it to break problems up into smaller tighter streams of work,
and what becomes the big issues is the Integration of Integrations
problem into Environments of delivery, often performed by ProdOps or
DevOPS or SecOPS approaches which feel very like the 1970s mainframe
issues, being driven by COBIT and ITIL.
I feel the techniques used in large enterprises have things to
offer particularly around building the CoC for these systems. In terms of
the loss of CoC particularly in PCI compliant environments, this is a
major issue, and it is treated as a forensic issue to be audited and
reported as quickly as possible to the QSA and other reporting bodies.
[Though I have to admit press management sometimes hides the details]
Do we have a long way to go one these things.. Absolutely, but the
approach of automated testing and automated reporting is making this a
more controlled delivery of these things. If you want to see someone who
at least discusses this approach then let me point you at some work now 4
years old from HP Firmware development
http://www.agileleadershipnetwork.org/wp-content/uploads/2012/12/Young-LargeScaleAgielDevelopment-2012-01-20.pdf
Edmund
--
========================================================================
Edmund J. Sutcliffe Thoughtful Solutions; Creatively
<edmunds at panic.fluff.org> Implemented and Communicated
<http://panic.fluff.org> +44 (0) 7976 938841
More information about the trustable-software
mailing list