From: Richard on
On Oct 30, 6:50 am, Howard Brazee <how...(a)brazee.net> wrote:
> On Thu, 29 Oct 2009 12:52:34 +1300, "Pete Dashwood"
>
> <dashw...(a)removethis.enternet.co.nz> wrote:
> >I understand your concern, Doc, and I shared it when I first embarked into
> >using third party components. However the keyword here is "application"
> >["...that would give us deeper knowledge of this part of the _application_
> >"]
>
> >You don't have source code for the IO housekeeping routines that transfer
> >data to and from your COBOL program, yet you find this an acceptable risk.
> >By the same token, I don't need source code for a third party Grid component
> >or serial port server, I plug them into my application and they work as
> >documented. If they don't (and, oddly enough, that has NEVER happened in
> >over 10 years now), they would get unplugged pretty quickly and either
> >replaced or referred to the supplier. Only as a last resort whould I st down
> >and write this functionality myself.
>
> My environment is somewhat different.  We have a major application
> that gets updated periodically along with mods that aren't in the
> base.    So a very large part of programmer's work is in code
> comparisons and putting the mods back into the changed application.  
>

That sounds like you need Bazaar to do that for you.


> Fewer people and fewer hours are spent in applications development and
> far more people and hours are spent in what users would consider
> "black box" work.    This is counter to the computer room stereotype
> that we thought we were moving away from.
>
> --
> "In no part of the constitution is more wisdom to be found,
> than in the clause which confides the question of war or peace
> to the legislature, and not to the executive department."
>
> - James Madison

From: Pete Dashwood on
docdwarf(a)panix.com wrote:
> In article <7ks3q3F39lngrU1(a)mid.individual.net>,
> Pete Dashwood <dashwood(a)removethis.enternet.co.nz> wrote:
>> docdwarf(a)panix.com wrote:
>>> In article <7kpen1F3bc69qU1(a)mid.individual.net>,
>>> Pete Dashwood <dashwood(a)removethis.enternet.co.nz> wrote:
>>>
>>> [snip]
>>>
>>>> I think the difference is in emphasis. With COBOL, everything is
>>>> about source code, so the source code has to be easily
>>>> understandable. It simply costs more if it isn't. With OO languages
>>>> you may be using objects and components from third parties that you
>>>> don't even HAVE the source code for, so the emphasis is on the
>>>> functionality working as documented, rather than the source being
>>>> well documented.
>>>
>>> With all due respect to those who write and use such systems, Mr
>>> Dashwood, my first response to the above was 'Holy Ned... what set
>>> of competent auditors of an even moderately secured system would be
>>> satisfied by hearing 'We don't have the source code or anything else
>>> that would give us deeper knowledge of this part of the application;
>>> all we gotta do is plug in a value here and Something Else comes out
>>> there and we run with that'?'
>>
>> I understand your concern, Doc, and I shared it when I first
>> embarked into using third party components. However the keyword here
>> is "application" ["...that would give us deeper knowledge of this
>> part of the _application_ "]
>>
>> You don't have source code for the IO housekeeping routines that
>> transfer data to and from your COBOL program, yet you find this an
>> acceptable risk.
>
> 'You already accept some bit of uncertainty so you can accept more'
> has not, in my experience, been much of a satisfactory response to an
> auditor's question of 'How was this number generated?'

The answer to that is: "This number was generated by a componented designed
specifically to accurately generate such numbers. Here is the documentation
on HOW it does it and here are the logs, journals, and audit trails it
produced while doing it." If it was written in-house, of course the source
is also available, but that would be a last resort and I have never seen an
auditor who was not satisfied with the above.

It isn't about accepting more uncertainty, it is about getting things done
and not re-inventing wheels which may well have been designed and built by
people much better qualified than yourself to design and build them.
>
>> By the same token, I don't need source code for a third party Grid
>> component or serial port server, I plug them into my application and
>> they work as documented.
>
> Are you writing a 'moderately secured system' that gets reviewed by
> competent auditors? (longtime readers may recall something similar,
> years ago, when I asked Mr Dashwood about loading tables with
> 60,000,000 rows)

I have written (and worked on ) major systems for 4 household name Banks
(even an American Bank) and 3 Insurance Companies. I am familiar with audit
and security requirements and have even been employed on more than one
occasion to check security of systems in such organizations. I don't believe
there is anything you can teach me about computer system audit requirements
or security. (And I work alongside local legal experts in different
jurisdictions...)

There is nothing wrong or fraudulent about using certified components in
system design. (Unless you are building a bent system, but you could do that
just as easily in COBOL. In spite of the availability of source code I can
think immediately of two system s I know where people got away with
defrauding (for a limited time...) so having source is no guarantee of
purity.

All the source visibility in the world won't protect you from things like
the famous Equity Funding Insurance scam where policies were sold to
imaginary people or real people who didn't know they had "bought" them. (And
that was a mainframe COBOL system...)

>
> [snip]
>
>>> (I use 'moderately secured' to refer to things like Stock-trading or
>>> Hospital-Admission/Treatment or Payroll systems, things which have
>>> aspects covered by Federal Law (eg the Health Insurance Portability
>>> and Accountability Act, or HIPAA) in the United States of America.)
>>>
>> I have seen component based implementations of two of these
>> (Hospital and Payroll) and they complied with legal requirements
>> just as they would if they weren't component based.
>
> Are these systems you have written?

No. Absolutely not.

There are also components available for things like Tax calculations (a very
legal requirement) which are endorsed and certified by IRD (In UK and NZ).
If you buy the component you don't get the source code. (Neither do you need
it...)

But don't take my word for it... try a GOOGLE search on "software components
for Payroll" then try it substituting "Hospital" and "Tax" in place of
"Payroll".

If you buy a package like Siebel or SAP you don't get source code (although
with SAP you may have "tailoring" in ABAPS).

If you manage your small business with MYOB, SAGE, or even Microsoft Money
you don't get source code and yet your accounts are subject to audit just
like anybody else's.

Source code (or at least, the maintenance of it) is nowhere near as
important in the modern world as it was in the last century.

Objects doing what they should, and performing as specified, is still a
matter of interest though...

Pete.
--
"I used to write COBOL...now I can do anything."


From: Anonymous on
In article <7kvt4jF39ambbU1(a)mid.individual.net>,
Pete Dashwood <dashwood(a)removethis.enternet.co.nz> wrote:
>docdwarf(a)panix.com wrote:

[snip]

>> 'You already accept some bit of uncertainty so you can accept more'
>> has not, in my experience, been much of a satisfactory response to an
>> auditor's question of 'How was this number generated?'
>
>The answer to that is: "This number was generated by a componented designed
>specifically to accurately generate such numbers. Here is the documentation
>on HOW it does it and here are the logs, journals, and audit trails it
>produced while doing it." If it was written in-house, of course the source
>is also available, but that would be a last resort and I have never seen an
>auditor who was not satisfied with the above.

Our experiences are different, Mr Dashwood; I have had auditors request
program listings, file layouts and file-dumps.

(what they actually *did* with these, granted, is nothing I was
responsible for researching... but the auditors asked for them and they
were supplied)

[snip]

>> Are you writing a 'moderately secured system' that gets reviewed by
>> competent auditors? (longtime readers may recall something similar,
>> years ago, when I asked Mr Dashwood about loading tables with
>> 60,000,000 rows)
>
>I have written (and worked on ) major systems for 4 household name Banks
>(even an American Bank) and 3 Insurance Companies.

I did not ask what you did, Mr Dashwood, I asked 'are you writing'.
Please notice the difference in tense... not that it is anything to get
tense about.

(wonderful language, this English)

[snip]

>There is nothing wrong or fraudulent about using certified components in
>system design.

This discussion has been going on, back-and-forth, for a few days now, Mr
Dashwood, and this is the first mention I recall seeing about 'certified'
components. Let me guess... that's what you intended all along but just
neglected to mention, right?

[snip]

>> Are these systems you have written?
>
>No. Absolutely not.

Thanks much for the refreshing and direct answer, Mr Dashwood; it is very
much appreciated and may be seen as setting a new bar or standard.

DD
From: Howard Brazee on
On Fri, 30 Oct 2009 13:23:22 +0000 (UTC), docdwarf(a)panix.com () wrote:

>I did not ask what you did, Mr Dashwood, I asked 'are you writing'.
>Please notice the difference in tense... not that it is anything to get
>tense about.
>
>(wonderful language, this English)

As with the guy who told his psychiatrist that he was a Wigwam and a
Teepee...

--
"In no part of the constitution is more wisdom to be found,
than in the clause which confides the question of war or peace
to the legislature, and not to the executive department."

- James Madison
From: Pete Dashwood on
docdwarf(a)panix.com wrote:
> In article <7kvt4jF39ambbU1(a)mid.individual.net>,
> Pete Dashwood <dashwood(a)removethis.enternet.co.nz> wrote:
>> docdwarf(a)panix.com wrote:
>
> [snip]
>
>>> 'You already accept some bit of uncertainty so you can accept more'
>>> has not, in my experience, been much of a satisfactory response to
>>> an auditor's question of 'How was this number generated?'
>>
>> The answer to that is: "This number was generated by a componented
>> designed specifically to accurately generate such numbers. Here is
>> the documentation on HOW it does it and here are the logs, journals,
>> and audit trails it produced while doing it." If it was written
>> in-house, of course the source is also available, but that would be
>> a last resort and I have never seen an auditor who was not satisfied
>> with the above.
>
> Our experiences are different, Mr Dashwood; I have had auditors
> request program listings, file layouts and file-dumps.
>
> (what they actually *did* with these, granted, is nothing I was
> responsible for researching... but the auditors asked for them and
> they were supplied)
>
> [snip]
>
>>> Are you writing a 'moderately secured system' that gets reviewed by
>>> competent auditors? (longtime readers may recall something similar,
>>> years ago, when I asked Mr Dashwood about loading tables with
>>> 60,000,000 rows)
>>
>> I have written (and worked on ) major systems for 4 household name
>> Banks (even an American Bank) and 3 Insurance Companies.
>
> I did not ask what you did, Mr Dashwood, I asked 'are you writing'.
> Please notice the difference in tense... not that it is anything to
> get tense about.

The fact that I am not currently doing something does not mean I have never
done it or know nothing about it. That was my point.

>
> (wonderful language, this English)
>
> [snip]
>
>> There is nothing wrong or fraudulent about using certified
>> components in system design.
>
> This discussion has been going on, back-and-forth, for a few days
> now, Mr Dashwood, and this is the first mention I recall seeing about
> 'certified' components. Let me guess... that's what you intended all
> along but just neglected to mention, right?

Not at all. Not all components are certified, or need to be. My point is
that IF there is such a need, there are such components available to meet
it.

You raised a valid point about security, however, you seem to think that if
you have the source code everything is somehow then secure. My point is that
that is simply not the case.

The fact that you show source code to an Auditor does not necessarily mean
that that is the source of the object code in production. Levels and
versions can be easily spoofed in object code and object libraries can be
patched by a determined fraudster.

Having source code is no guarantee whatsoever of purity.

At least if there IS NO source code we know that the object code we have IS
what is running. (And if it is a component, there will only be one version
of it. Nevertheless, even that could be patched or spoofed...)

The only solid measure of integrity are the results obtained, random checked
aganst various trails, with independently balanced controls on files and
totals.

These results can be obtained just as easily using component based systems
as with non-component based ones.

Source code is no more a measure of security and integrity than frogs are a
measure of snakes in a pond.

>
> [snip]
>
>>> Are these systems you have written?
>>
>> No. Absolutely not.
>
> Thanks much for the refreshing and direct answer, Mr Dashwood; it is
> very much appreciated and may be seen as setting a new bar or
> standard.

For whom?

Pete.
--
"I used to write COBOL...now I can do anything."