[trustable-software] Trustable Systems:A Chain of Custody

trustable at panic.fluff.org trustable at panic.fluff.org
Thu Nov 24 08:46:48 UTC 2016 

On Tue, 22 Nov 2016, John Lewis wrote:

> Given this lack of maturity, Agile development/Cloud deployment is low
> CMMI (1-2). And for Trustable Systems, a Level 5 is required. I remember 
> going to NASA/IBM Houston in 1990 (the first CMMI 5) and being shown the 
> paper-based Chain of Custody system they had. The audit team was bigger 
> than the Dev team and that raises the issues of checking the CoC (an 
> automated tool?) and what happens when it is broken?

 	I absolutely agree Agile is lacking experience and for a series of 
problems other techniques are used. What I'm experiencing is that people 
are using it to break problems up into smaller tighter streams of work, 
and what becomes the big issues is the Integration of Integrations 
problem into Environments of delivery, often performed by ProdOps or 
DevOPS or SecOPS approaches which feel very like the 1970s mainframe 
issues, being driven by COBIT and ITIL.

 	I feel the techniques used in large enterprises have things to 
offer particularly around building the CoC for these systems. In terms of 
the loss of CoC particularly in PCI compliant environments, this is a 
major issue, and it is treated as a forensic issue to be audited and 
reported as quickly as possible to the QSA and other reporting bodies.
[Though I have to admit press management sometimes hides the details]

 	Do we have a long way to go one these things.. Absolutely, but the 
approach of automated testing and automated reporting is making this a 
more controlled delivery of these things. If you want to see someone who 
at least discusses this approach then let me point you at some work now 4 
years old from HP Firmware development

http://www.agileleadershipnetwork.org/wp-content/uploads/2012/12/Young-LargeScaleAgielDevelopment-2012-01-20.pdf

 	Edmund

-- 
========================================================================
Edmund J. Sutcliffe                     Thoughtful Solutions; Creatively
<edmunds at panic.fluff.org>               Implemented and Communicated
<http://panic.fluff.org>                +44 (0) 7976 938841

More information about the trustable-software mailing list