If it’s possible, it’s allowed

Last week I had a meeting with a customer that is in the process of implementing a new configuration management system. We had a tough discussion about building in security measure to protect the system from malpractice of software developers.

Surprisingly, they were very much concerned about deliberate, intentional misbehaviour of their software developers. For them it was even more an issue than intentional, accidental faults. The argument was that intentional misbehaviour may be very difficult to detect because the engineers try to be extremely smart on that. The risk they are concerned about is that after delivery of those changes, the integrator may not discover problems in the system through the build and smoke test. So the problem is propagated to system level and may be even to the customer.

What they try to do is maximise the security mechanisms to make it is impossible for developers to bypass it. In my opinion, it is absolutely foolish to even try it. First, you will never outsmart those saboteurs and try it takes extreme costs and efforts. A better approach is to build in logging and detection mechanisms. Then, if someone runs in an unintentional malpractice you can build in protection mechanisms, but if someone deliverately hacks the system he should be warned first and fired next regardless of his other competences and knowledge level. It is better to spend the money on finding the right people and on try to secure the system against those terrorists.

What do you think we should do about it?

Advertisements

About Frank Schophuizen (fschop)

Hi, my name is Frank Schophuizen and I am working as a consultant in CM, Agile and ALM for TOPIC Embedded Systems. I have over 30 years experience in software development in the technology industry, with the last 15 years mainly in process improvement, deployment and integration of methods and tools in the area of CM, Agile development and ALM. I am strongly interested in the complexities of collaboration and integrations in multi-project and multi-site organizations. I have worked with various technology companies such as Philips, ASML, NXP and Vanderlande, and with various tool vendors such as IBM Rational (e.g. ClearCase, Synergy, Jazz products) as well as open source tools (e.g. SVN, Git, Jenkins, Trac, Eclipse). I am living in Eindhoven, the Netherlands, with my wife. We have 3 adult children. My main hobbies are classical music and photography.
This entry was posted in people, software development. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s