[trustable-software] Segregation of Duties
trustable at panic.fluff.org
trustable at panic.fluff.org
Mon Apr 3 15:09:44 UTC 2017
On Mon, 3 Apr 2017, Paul Sherwood wrote:
>
> In addition to this, I think some of us here believe that there's a need
> for independence between developer and test creator, and/or developer
> and reviews/merge. Certainly this is required in (eg) finance software
> where there would be obvious incentives for a developer handling both
> ends to backdoor his/her own code.
>
> I'm not sure we've actually reasoned this thoroughly yet, but if true, I
> think it would mean that no single party could create trustable software
> without proof of external oversight.
>
There are a wide range of compliance and governance requirements which
require Segrgation of Duties
https://en.wikipedia.org/wiki/Separation_of_duties
In particular standards such as the EGDPR and SOX these duties are
opreational and about invocation rather than development.
I'm led to believe on SIL-2 and DOD-178 for audit requirements this
segragation of duties is requires. I'd love to see some pointers to where
this is written down
Edmund
--
========================================================================
Edmund J. Sutcliffe Thoughtful Solutions; Creatively
<edmunds at panic.fluff.org> Implemented and Communicated
<http://panic.fluff.org> +44 (0) 7976 938841
More information about the trustable-software
mailing list