Secure Coding mailing list archives
Darkreading: compliance
From: eballen1 at qwest.net (Bruce Ediger)
Date: Tue, 13 Mar 2007 06:59:50 -0600 (MDT)
On Tue, 13 Mar 2007, somebody wrote (attribution isn't clear to me):
no. my feeling is that it focuses management on unimportant things like meeting checkpoints rather then actually doing useful things.
I heartily agree. "Compliance" almost always becomes (in the worst sense of the word) a mantra to chant down all disagreement. "Compliance" becomes the *administrative* stick-and-carrot, rather like a driver's license in the US. That is, every US citizen has this set of nominal "rights" that nobody can take away. On the other hand, a driver's license is a privilege, so you have to jump through some hoops to get it, and it comes with mandatory behaviors, not all of them legal, most of them administrative. Life in the US without a driver's license is marginal. So, administrators use driver's licenses to punish and guide behavior in ways nominally, or legally, forbidden. Wink wink, nudge nudge. I'm most familiar with PCI, and some of the things that people put in it are just downright stupid. If you run your credit card processing on Solaris, why should you put in a virus scanner? Seriously, folks... Since "compliance" becomes an administrative tool, the weapons against actually paying for "compliance" become administrative, hence the focus on meeting checklist items. A checklist can't really contain all the capability of a general purpose computing system, as checklists do not have looping or decision making in them. So, they'll always have weird limits, and people will try to overcome those limitations by adding to the checklists. "Compliance" becomes a rallying point for the professional meeting attenders, parasites and hangers on, hierarchy jockeys.
Current thread:
- Darkreading: compliance Gary McGraw (Mar 12)
- Darkreading: compliance bugtraq at cgisecurity.net (Mar 12)
- Darkreading: compliance Michael Silk (Mar 12)
- Darkreading: compliance Steven M. Christey (Mar 12)
- Darkreading: compliance Bruce Ediger (Mar 13)
- Darkreading: compliance Benjamin Tomhave (Mar 30)
- Darkreading: compliance ljknews (Mar 30)
- <Possible follow-ups>
- Darkreading: compliance Gary McGraw (Mar 12)
- Darkreading: compliance Gary McGraw (Mar 13)
- Darkreading: compliance Michael Silk (Mar 13)