[Fwd: Re: Code review/audit and/or version control]

[George Capehart <capegeo () opengroup org>]

Sorry, I hit reply instead of reply all . . .

-------- Original Message --------
Subject: Re: [fw-wiz] Code review/audit and/or version control
Date: Wed, 24 Jul 2002 10:07:15 +0800
From: George Capehart <capegeo () opengroup org>
To: Joseph S D Yao <jsdy () center osis gov>
References: <3D3BCFC5.9CAC75C4 () opengroup org>
<200207221546.LAA14068 () fw1-b osis gov> <3D3CB7D7.C830F6DD () opengroup org>
<20020723110454.C2747 () washington center osis gov>

Joseph S D Yao wrote:
> On Tue, Jul 23, 2002 at 09:56:39AM +0800, George Capehart wrote:
> > created.  What I'm concerned about here is a breakdown in process . . .
> > not a valid reason to roll back a change . . .
>
> Then ISTM that that is at least as much a matter of properly training
> the coder/programmer/softeare engineer users as it is a technical
> matter ... perhaps much more or entirely so.  By definition, no process
> can cope with a human breakdown in the process.  Eh?  ;-)

<rant>
You're *absolutely* correct!  This is what I'm getting at!  IMHO, the
breakdown of process is a management problem.  There's a little more to
the issue than just being sure coder/programmer/engineers are well
trained . . . (That in itself is a management problem; rather a problem
with management).  ;-)  I personally place the burden of "correctness,"
"quality" and "security" on management and the execution of appropriate
process . . . however one wants to define "correctness," "quality" and
"security."  It seems to me that, in the end, all of those "esses" and
"ies" exist as parts of an organization's risk management process. 
(That's a long discussion that's much better had over a bottle or two of
wine).  If it is important to the (managers of an) organization to
manage the costs and risks associated with the lack of those "esses" and
"ies," processes will be put in place and enforced, employees will
receive the training they need and policies will be defined and
enforced.  If those things are not important to the (managers of the)
organization, they will be given lip service or ignored.  I *don't*
believe these are technical problems at all.  AFAIAC, they're purely
management problems . . . 
</rant>

> --
> Joe Yao                         jsdy () center osis gov - Joseph S. D. Yao
> OSIS Center Systems Support                                     EMT-B
> -----------------------------------------------------------------------
>    This message is not an official statement of OSIS Center policies.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards