Why don't we do this, Mike? Was this something that developers used to do and moved away from? If so, was it because of costs? Because they wanted - were told - to shave time off development and this was one way to do that? Because competitors weren't doing it and weren't getting into hot water over it? Something completely different? Not being a programmer, I'm interested in learning whether this is a change in process - or a best practice that was never widely deployed.
=DC: "At least starting a dialog along these lines is a path to somewhere!"
YES!!
it does no good to just look over the wreck. we gotta figure out how to clean it up.
Now if I am making gidgits and I have to incorporate some firmware into my gidgits then it becomes incumbent upon me to participate int he Zero Defects program
since I am not compiling the firmware my responsibility become requiring authentication from my source: a PGP signed packing list detailing the components in the firmware. I can then check that firmware to be sure I'm installing what I am supposed to install.
as a programmer for Firmware for Gidgits it becomes my rfesponsibility to similarly check my O/S and my compiler to be sure I have correct originals . and to re-check before I assemble finals .
then when I compile the firmware I can make out the packing list detailing what my package is composed of. documenting not only the modules I compiled and assembled but also identifying the tools I used.
as you start playing with this thinking you will see that Software Audits are a Critical Need -- and where are they ?????
the alternative is to just stand around and watch while this trainwreck piles up worse and worse.
hackers are off to a good start this year already .
Good question. Ensuring the integrity of software supply chains is a difficult problem because of the increased use of offshore development, the relative ease of cloning software and the ongoing need to keep software patched and updated via trusted mechanisms. Very challenging for cios indeed.
Our physical and virtual supply chains are becoming ever more complex these days. It's a concern for national security as well as for protecting business intelligence. There's going to be some smart people out there with bad intentions who will be able to disrupt the system, it seems there is no doubt in that. The question is: are organizations prepared for a bait and switch? At least starting a dialog along these lines is a path to somewhere!
it's all well and good for Gartner to come up with this even though the problem has been around for years
correcting this is another matter
the answer lies in adopting the Zero Defects policy
and resurecting the old fashioned Packing List
if I send you a program I should include a Packing List
the Packing list should list every object included in the distribution together with its size, date, and CRC. and the packing list needs to be signed with PGP
I agree these could be extended to business also and would make an effective starting point. I think once harm can be inflicted to a great degree the verify then trust motto has to take effect.
Sadly, I have to agree with them in this level. It seems like you can never no too safe, even if you do use all of standards in security today. hackers have become far more savvy than most 're as listed and to not actively protecting your company is a ticking time bomb. What should CIOs do to stay on top of the ever changing security world?
Once again, the decisionmaking process should be modeled after that we follow in our personal lives. I live by the following basic procedure:
Without evidence to the contrary, it is best to extend trust to anyone at first meeting
Without proof of reliability and integrity, trust should not be extended to the point where great harm might be incurred if the trusted person turned out to be unethical
These rules serve me well in my personal life. I won't say that I've never been ripped off because I extended trust to the wrong person; however, far more often I have been rewarded with loyal friends when another approach would have produced enemies. In this tradeoff, extending trust created far more opportunities than would have occurred any other way.
Isn't it reasonable to apply the same approach to business?
Due diligence used to mean digging in to make sure a prospective partner was financially viable, didn't it? Nowadays, most companies really want to also ensure their partners are ethical, too. Hopefully, part of that is because they're run and staffed by good people. The other part is that bad news spreads really fast. Think about Citgo and Hugo Chavez; Kathy Lee and her clothing line; Apple and its suppliers in China... there are so many instances where a large vendor comes under attack for partner actions.
Even though cloud is comparatively new, I'd think the same applies here as it always did with any IT partnership: Reputation, strong financials, a history of taking care of customers, partnerships with leading vendors, executive management you trust, and existing satisfied clients.
Trust is critical in business and being able to do business with ethical companies is critical too. It's a small world and reputation is everything. Compnies need more than just to be socially impactful. they need to be a force for change. most multinationals try this but few companies in IT achieve it. Liferay is one of them that has - http://www.theregister.co.uk/2013/01/23/open_and_shut/
But how can companies who are choosing strategic relationships with suppliers vet for the real organisation so they dont link up with a wolf in sheeps clothing?
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
Social networking sites and search engines continue to hone the tools they use to help advertisers spread their messages, measure results, and avoid fraud.
The US National Security Agency learned the hard way that it can be dangerous to give a contractor too much money and access, with too little scrutiny. The NSA and other government agencies hire tens of thousands of contractors
a year to analyze data. Edward Snowden -- who revealed himself as the NSA leaker after fleeing the country -- was one such contractor, reportedly holding a $122,000 salaried position at Booz Allen Hamilton at the time of his departure.
Big-data and analytics tools enable marketers to understand customers as individuals, identifying unmet needs and addressing each customer as a "segment of one," says John Kennedy, VP corporate marketing, IBM.
New York's Metropolitan Transit Authority is conducting a pilot test of digital kiosks to guide subway users to where they want to go more efficiently and at lower cost.
The whole Amazon.reader debate is a double-stupid. It's stupid to think that there's any e-book buyer who doesn't know Amazon's URL, and it was stupider to let ICANN launch the whole free-form TLD initiative to start with.
While NFC's original goal was to enhance mobile commerce applications, it is finding its way into a number of other uses, which is creating both opportunity as well as challenges for IT departments.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Edmunds separates customers into segments based on the info it collects on its site and from partners, and uses that to push out custom content, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
The IBM Smarter Commerce Global Summit in Monaco kicked into high gear today, and we've already begun to see news emerging from that lovely city-state by the sea.
Expert Integrated Systems: Changing the Experience & Economics of IT In this e-book, we take an in-depth look at these expert integrated systems -- what they are, how they work, and how they have the potential to help CIOs achieve dramatic savings while restoring IT's role as business innovator. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
