[trustable-software] Where does Trustable Sit ?
Andrew Banks
andrew at andrewbanks.com
Mon Jun 25 14:25:00 BST 2018
The English language is a pain... we have a number of words that mean very similar things, eg:
* Integrity
* Trustable
* Trustworthy and associated, Trustworthiness
As a reference, an HMG funded initiative (the Trustworthy Software Foundation [1], nee the Trustworthy Software Initiative, nee the Software Security, Dependability and Resilience Initiative) produced PAS-754, which has been revised and expanded to BS 10754 "Systems Trustworthiness" may be worth a read.
[1] https://en.wikipedia.org/wiki/Trustworthy_Software_Foundation
A
-----Original Message-----
From: trustable-software [mailto:trustable-software-bounces at lists.trustable.io] On Behalf Of trustable at panic.fluff.org
Sent: 21 June 2018 09:59
To: Trustable software engineering discussion
Subject: [trustable-software] Where does Trustable Sit ?
I've been thinking about where 'Trustable' sits in terms of comparible
standards and outcomes.
For example, is it
* a process and operationg standard, such as ITIL or ISO20000
* a coding standard like OWASP and CERT secure coding standards
* a risk reduction standard like IEC61508 or ISO27000
* an evidence production standard like ISA500 or SIL
'Trustable' has never been about language or technology specific choices,
and so it doesn't really fit with say CERT or MISRA Standards
Certainly for 'Trustable' the discussions around evidence and consistency
of evidence seems to point to something like ISA500 or SIL.
However, there are evidence requirements associated with ITIL and COBIT
frameworks for example. It could be argued that the from ITIL and COBIT
you get to make the evidence up to demonstrate you're doing the right
thing. This may be true for SIL and ISA500 as well but I've not worked
with them enough to be entirely sure....
Also for 'Trustable' we are defining a series of expected behaviours
just as MISRA does with their compilers or ITIL does with Change Requests.
Yet again this week, I've been involved with a project where the
behaviours which I would take self evident around version control and
validation turn out to be beyond the capabilities of yet another
international organisations of reasonable size and software background.
Certainly in the Hypothesis which began these discussions
https://gitlab.com/trustable/overview/wikis/hypothesis-for-software-to-be-trustable
We were clear that particular actions had to occur, like ITIL, and we
declared that particularly evidence should be visible.
So does trustable sit in the space like ITIL defining behaviour, like
ISA500 defining what evidence is required and like ISA700 or the Police
and Criminal Evidence Act in the UK specifying how evidence is collected
and used to form an opinion ?
Have we missed something in our definitions about how the evidence is to
be judged ?
Edmund
--
========================================================================
Edmund J. Sutcliffe Thoughtful Solutions; Creatively
<edmunds at panic.fluff.org> Implemented and Communicated
<http://panic.fluff.org> +44 (0) 7976 938841
_______________________________________________
trustable-software mailing list
trustable-software at lists.trustable.io
https://lists.trustable.io/cgi-bin/mailman/listinfo/trustable-software
More information about the trustable-software
mailing list