[trustable-software] Where does Trustable Sit ?

Andrew Banks andrew at andrewbanks.com
Mon Jun 25 14:25:00 BST 2018


The English language is a pain...  we have a number of words that mean very similar things, eg:
	* Integrity
	* Trustable
	* Trustworthy and associated, Trustworthiness

As a reference, an HMG funded initiative (the Trustworthy Software Foundation [1], nee the Trustworthy Software Initiative, nee the Software Security, Dependability and Resilience Initiative) produced PAS-754, which has been revised and expanded to BS 10754 "Systems Trustworthiness" may be worth a read.

	[1] https://en.wikipedia.org/wiki/Trustworthy_Software_Foundation

A


-----Original Message-----
From: trustable-software [mailto:trustable-software-bounces at lists.trustable.io] On Behalf Of trustable at panic.fluff.org
Sent: 21 June 2018 09:59
To: Trustable software engineering discussion
Subject: [trustable-software] Where does Trustable Sit ?

I've been thinking about where 'Trustable' sits in terms of comparible 
standards and outcomes.

For example, is it
  * a process and operationg standard, such as ITIL or ISO20000
  * a coding standard like OWASP and CERT secure coding standards
  * a risk reduction standard like IEC61508 or ISO27000
  * an evidence production standard like ISA500 or SIL

'Trustable' has never been about language or technology specific choices, 
and so it doesn't really fit with say CERT or MISRA Standards

Certainly for 'Trustable' the discussions around evidence and consistency 
of evidence seems to point to something like ISA500 or SIL.

However, there are evidence requirements associated with ITIL and COBIT 
frameworks for example. It could be argued that the from ITIL and COBIT 
you get to make the evidence up to demonstrate you're doing the right 
thing. This may be true for SIL and ISA500 as well but I've not worked 
with them enough to be entirely sure....

Also for 'Trustable' we are defining a series of expected behaviours
just as MISRA does with their compilers or ITIL does with Change Requests.

Yet again this week, I've been involved with a project where the 
behaviours which I would take self evident around version control and 
validation turn out to be beyond the capabilities of yet another 
international organisations of reasonable size and software background.

Certainly in the Hypothesis which began these discussions

https://gitlab.com/trustable/overview/wikis/hypothesis-for-software-to-be-trustable

We were clear that particular actions had to occur, like ITIL, and we 
declared that particularly evidence should be visible.

So does trustable sit in the space like ITIL defining behaviour, like 
ISA500 defining what evidence is required and like ISA700 or the Police 
and Criminal Evidence Act in the UK specifying how evidence is collected 
and used to form an opinion ?

Have we missed something in our definitions about how the evidence is to 
be judged ?

Edmund

  -- 
========================================================================
Edmund J. Sutcliffe                     Thoughtful Solutions; Creatively
<edmunds at panic.fluff.org>               Implemented and Communicated
<http://panic.fluff.org>                +44 (0) 7976 938841


_______________________________________________
trustable-software mailing list
trustable-software at lists.trustable.io
https://lists.trustable.io/cgi-bin/mailman/listinfo/trustable-software




More information about the trustable-software mailing list