We're SDLC compliant
-
We don't have business requirements - they take too long to write.
We don't have functional specifications - they take to long to think about, and are too difficult to convey, let alone write down.
We don't have formal JUnit testing - most of what we have has been added on by me in a failed attempt to play catchup on 4+ years of fail.
We don't have any way of forcing someone to put a ticket-number or even a comment on source control commits.
We don't have any way of enforcing, or even a policy of only committing changes for one project at a time (e.g.: if you're working on two separate changes, commit them separately).
We don't have formal QA testing - mostly it's just a guy pressing a few buttons based on the hand-waving description from our users of what the changes will do.
We don't have staging environments, so deployments are shoot from the hip, inevitably filled with 2-3 days of 20-ish people working around the clock to hack it together in production.
But we passed the formal corporate audit without a single demerit; we are a mature and stable organization; we are SDLC Compliant!
Excuse me, but WTF does that say about a) the auditors, and b) what our parent company considers SDLC compliance?
-
Could you name and shame your auditors, so I know what fuckwitted blinkered protozoa I can avoid?
-
Well, SDLC means Software Development Life-Cycle. And you do have a software development life-cycle, namely, "Once upon a time this software wasn't developed, but now it is." So clearly you're SDLC compliant!
I mean, so is a teenager sitting in his room hacking together a Skyrim mod that gives him a spell to disrobe females at will, or literally any other sentient being that writes code, but hey, it's something, right?
-
Wow! This makes me feel like my company's Doing It Right... Almost!
-
I've been reading/playing too much BattleTech lately. From the title I was expecting something about the Star League Defense Force. The acronym was close enough that my mind incorrectly auto-corrected. Or I'm lysdexic. Either way.
-
Reminds me of audits at a shop in the late 1990s, which would be days of pain as the auditors went through the Procedures Manual with each of us in fine detail. Then someone in management had the bright idea that if we simply abolished all the Procedures, there would be nothing for us to fail an audit on...
-
But we passed the formal corporate audit without a single demerit; we are a mature and stable organization; we are SDLC Compliant!
We all know that compliance approval is only there for the auditors. What else could these poor people do? So there are two options:
(1) You pay them their normal wages, and they do a normal job.
(2) You pay them fantastically, and they do a fantastic job.
Option 1 implies a lot of failures to comply and a lot of audit rounds, so option 2 is a lot cheaper: the auditors weave their magic, and presto: you're compliant. Everybody happy.
It's like a victimless crime, innit?
-
@TGV said:
It's like a victimless crime, innit?
Yep, you bribe an auditor that you decided to hire for looking at problems in your company. I wouldn't say it's victimless, but it is at least schizofrenic.
Why do companies still fall for it?
-
@Cassidy said:
Sadly, they're full time internal employees of the parent company. Their purpose is to go from department to department, team to team, and verify that each is using proper SDLC methodologies. It was just our turn. However, as a newly assimilated division, we got extra special scrutiny, whatever TF that is.Could you name and shame your auditors, so I know what fuckwitted blinkered protozoa I can avoid?
-
@snoofle said:
But we passed the formal corporate audit without a single demerit; we are a mature and stable organization; we are SDLC Compliant!
You obviously have no idea what auditors are for. Even if you hire an external auditing firm, the conclusion is determined by the customer, not the auditor.Excuse me, but WTF does that say about a) the auditors, and b) what our parent company considers SDLC compliance?
-
@Severity One said:
Even if you hire an external auditing firm, the conclusion is determined by the customer, not the auditor.
Unless the process results in (or not as the case may be,) for example, something that starts with ISO and ends with a number - it doesn't.
-
It's strange... I saw SDLC and my first thought was Synchronous Data Link Control, and the rest of the post confused me a great deal.
-
@Steve The Cynic said:
It's strange... I saw SDLC and my first thought was Synchronous Data Link Control, and the rest of the post confused me a great deal.
That might actually explain how they passed.
"Yup, no asynchronicity here."
-
@snoofle said:
It says that you meet industry standards....
Excuse me, but WTF does that say about a) the auditors, and b) what our parent company considers SDLC compliance?
-
@Rick said:
@snoofle said:
It says that you meet industry standards.Excuse me, but WTF does that say about a) the auditors, and b) what our parent company considers SDLC compliance?
oh snap
-
@Mcoder said:
@TGV said:
It's like a victimless crime, innit?
Yep, you bribe an auditor that you decided to hire for looking at problems in your company. I wouldn't say it's victimless, but it is at least schizofrenic.
Why do companies still fall for it?
I'm not sure "fall for it" is accurate. Failing the audit would require spending money to fix the problem and cut into short-term profits. That would cause earnings targets to be missed, which would cause the stock price to fall. Passing the audit will keep the stock price up, and any problems that happen as a result will only be apparent later, after everyone involved in the decision have sold their shares and moved on to greener pastures.
-
@PedanticCurmudgeon said:
Failing the audit would require spending money to fix the problem and cut into short-term profits.
Why even make an audit? There's nobody forcing you.
-
You can use the audit to help you to lie to customers about how good your processes are. "We have an audited development process." See how it works?
-
That's sort of the opposite situation I had at work. After we were bought by Very Large Company® they sent in their special team of auditors and we failed our first environmental audit because we didn't have policies in place for handling certain chemicals, despite the fact that:
-- We've never used any of those particular chemicals in the 100 years we've been in business
-- There's nearly zero chance that we will ever use any of those chemicals
-- We don't even have any equipment at our facility that could handle those particular chemicals
-
N.B. MEMO, 2012-09-25:
New policy:
PROBLEM SOLVED.
Per auditing requirements, when handling chemicals we cannot handle, do not handle the chemicals.
-
@PedanticCurmudgeon said:
You can use the audit to help you to lie to customers about how good your processes are. "We have an audited development process." See how it works?
Heh, I guess vendors are too afraid of saying things like this near me :)
-
@Xyro said:
Per auditing requirements, when handling chemicals we cannot handle, do not handle the chemicals.
I saw a shelf in a maintenence closet once that held about a bunch of totally dusty cans of paint and a "DO NOT USE" sign. I asked about it, the manager said "Causes cancer. The safety people decided we're not allowed to use it any more." "So why do we still have them?" "Not allowed to dispose of them either." "Can we hire someone to clean them out?" "I wouldn't bet on it. I once moved them to another closet because I wanted more space in here and we failed our next audit because they couldn't find them." "How long have they been in there?" "Well, they were dusty when I started in 1985."
The company still has them.
-
@Severity One said:
@snoofle said:
But we passed the formal corporate audit without a single demerit; we are a mature and stable organization; we are SDLC Compliant!
You obviously have no idea what auditors are for. Even if you hire an external auditing firm, the conclusion is determined by the customer, not the auditor.Excuse me, but WTF does that say about a) the auditors, and b) what our parent company considers SDLC compliance?
They key to understanding in advance what the outcome will be is determining who the customer really is. If it's not who is being audited, life can be interesting.
-
@Mcoder said:
Why even make an audit? There's nobody forcing you.
That depends on what the audit is for. For example, the PCI DSS audit is pretty damn important if you work with financial software.
-
@mott555 said:
I've been reading/playing too much BattleTech lately. From the title I was expecting something about the Star League Defense Force. The acronym was close enough that my mind incorrectly auto-corrected. Or I'm lysdexic. Either way.
Or both, eh quiaff?
-
@PJH said:
@Severity One said:
Even if you hire an external auditing firm, the conclusion is determined by the customer, not the auditor.
Unless the process results in (or not as the case may be,) for example, something that starts with ISO and ends with a number - it doesn't.Well that's a matter of opinion. An ISO-9000 certification is simply the validation by external auditors that the company has internal processes and is following them. It does not mean that the processes are good and does not involve any kind of external standard except for the auditing process itself.
The purpose of that kind of certification is to facilitate collaboration between companies that are part of a supply chain. If ABC Inc is usually delivering products to XYZ Inc 3 weeks late with a 45% quality ratio, their ISO-9000 certification will tell XYZ Inc that they can expect the same in the future so they can adapt their own processes. That's the best way to avoid a roller-coaster behavior in the supply chain but it has no meaning whatsoever about the actual quality of the product (except that it's always more or less the same).
-
@curtmack said:
@Mcoder said:
Why even make an audit? There's nobody forcing you.
That depends on what the audit is for. For example, the PCI DSS audit is pretty damn important if you work with financial software.
People think that PCI is a big thing like ISO or HIPAA but really it's closer to those "next oil change date" stickers that Jiffy Lube or Walmart will put on your windshield when they service your car. For most companies doing the "audit" means printing the vanilla self-assessment questionnaire once a year, checking the checkboxes on the form and archiving it without sending a copy to anyone. And its only use is to provide some weak legal defense in the event that CC data is stolen from the company. Some banks will impose fees or terminate the account if CC data is stolen from a merchant who cannot show their self-assessment documents, but with the rabid competition in that industry people can shop around so it's a big joke.
The only case where it can be a bit tedious is if your company wants to offer branded credit card (which usually means that you are a bank, a big store or a big oil company). And even for those, the PCI audit is basically a questionnaire that you fill and send to the bank that is endorsing you. You may have to hire a certified contractor to scan your network once every quarter but that's for a very specific type of company.
Just look at the Program Fees page - it's all for the contractors who want to ride the PCI money train.
-
@snoofle said:
extra special scrutiny
Ah yes. “Extra special” scrutiny from the “extra special” auditors.
