 |
| Image from Pixabay |
Every ICT specialist knows that, if you have made or changed something, you first have to test whether everything (everything!) still works. In a professional environment we have a multi-stage mechanism for this, which we cherish under the abbreviation DTAP: Development, Testing, Acceptance, Production. This week I heard a variation on this abbreviation that first made my ears pop and then put a big grin on my face.
That
variant is DPSTAP and that stands for: Development, Production, Shit it doesn't
work, Test anyway, Acceptance, Production. I heard this during a risk analysis.
In a session like that we discuss what can go wrong and how bad that is, and
one of the regular topics is: someone makes a mistake, what measures have been
taken to ensure that this is discovered in time and therefore can cause no damage?
In all the risk analyses that I have supervised so far – and there are quite a
few – those present triumphantly shouted in unison on this point: DTAP!
And
that was really all said. We develop something, we do a thorough test, the
customer does an acceptance test and only when everyone is satisfied the new
system or new version can go into production. If errors still come to light,
the product goes back to the development phase. A solid working method that is
in the DNA of all IT professionals and that is so self-evident that we rarely
ask ourselves whether a team really works in this way all the time. Or whether shortcuts
are taken, once in a while or perhaps even structurally.
That
is, until this week. After all these years someone finally dared to say that
apparently sometimes a makeshift path is followed – and not even necessarily
with himself, I think. It couldn't be any other way, really. I do realize that
the pressure to deliver on time can sometimes be so great that you have to make
a choice between being ready on time or following the official route. If you
opt for the former, as a conscientious employee you will then have to wait a
few days or weeks to see if everything continues to go well, biting your nails.
The
more you use such a shortcut, the easier it may become. And then it could
become risky. You might find yourself on a slippery slope to heedlessness,
perhaps even indifference. In an organization as large as ours, I cannot rule
out the possibility that there may be some colleagues who have never been at
the top of a slippery slope, who naturally always choose the easiest path. I
know a lot of colleagues, and I haven't met one yet who made me think: there's
one of those. But statistically I can't rule out that they are around. Perhaps
they are kept in the lee of their team and, for example, are not appointed to
participate in risk assessments and other activities in which I am involved. To
these people – and to their managers – I want to say: straighten your back,
stand by your craftsmanship and make sure that you do not become a risk to our
business operations yourself. You may need a (refresher) course. Or – be honest
with yourself – different work.
I
also learned from this. I'm getting stricter. Even more than now I will go on
asking questions, even when I speak to colleagues who I know for sure are very
committed to security. Do you really always do it this way, or do you occasionally
do DPSTAP? If you dare to admit that, you will earn bonus points. Because you then
state that there might be a risk somewhere, and we can only do something about
it if we know it. It also marks the difference between running risks (which
happens unconsciously) and taking risks (consciously and based on trade-offs).
Finally,
a special greeting from this place to one of my most loyal readers: my mother.
She turned ninety today. Congratulations!
And in the big bad world…
This section contains a selection of news articles I came across in the
past week. Because the original version of this blog post is aimed at readers
in the Netherlands, it contains some links to articles in Dutch. Where no
language is indicated, the article is in English.
- you may be a victim of a global cybercrime case.
- a
Dutchman lost a considerable amount of money because of this matter. [DUTCH]
- you can't afford to remain silent after a major data breach, the judge says. [DUTCH]
- April
is Seniors and Safety Month, with a dedicated campaign website. [DUTCH]
- you should not use security tools for criminal purposes.
- Tesla employees shared footage your car took, and they joked about it.
- IoT device manufacturer Nexx has not understood the importance of security, making it easy to open garage doors anywhere in the world, for example.
- the
government now has a toolbox for red teaming.
[DUTCH]
- another toolbox steals credentials for eighteen cloud services.
- a hacked phone system steals passwords from browsers.
- Telegram is a marketplace for phishing tools.
- biometrics is not automatically safe a safe technology.
.jpg)
No comments:
Post a Comment