[trustable-software] Segregation of Duties

trustable at panic.fluff.org trustable at panic.fluff.org
Mon Apr 3 15:09:44 UTC 2017


On Mon, 3 Apr 2017, Paul Sherwood wrote:
>
> In addition to this, I think some of us here believe that there's a need 
> for independence between developer and test creator, and/or developer 
> and reviews/merge. Certainly this is required in (eg) finance software 
> where there would be obvious incentives for a developer handling both 
> ends to backdoor his/her own code.
>
> I'm not sure we've actually reasoned this thoroughly yet, but if true, I 
> think it would mean that no single party could create trustable software 
> without proof of external oversight.
>
There are a wide range of compliance and governance requirements which 
require Segrgation of Duties

https://en.wikipedia.org/wiki/Separation_of_duties

In particular standards such as the EGDPR and SOX these duties are 
opreational and about invocation rather than development.

I'm led to believe on SIL-2 and DOD-178 for audit requirements this 
segragation of duties is requires. I'd love to see some pointers to where 
this is written down

 	Edmund


-- 
========================================================================
Edmund J. Sutcliffe                     Thoughtful Solutions; Creatively
<edmunds at panic.fluff.org>               Implemented and Communicated
<http://panic.fluff.org>                +44 (0) 7976 938841




More information about the trustable-software mailing list