Well do you? I don’t because I leave the door open for the dog to come and go and they are a more effective deterrent than a door-lock.
So why do we leave the door open in our IT departments every day? And why do we open more doors than we close every day? Introducing software into the production environment always comes with risk.
- Lowest risk – home grown software written by your team and vetted by your QA
- Low risk – bespoke software created for you (outsourced/offshored) and vetted by you
- Negligible risk – software from reputable vendors
- Acceptable risk – open source software from reputable sources backed by vendors
- Some risk – software from new vendors and startups
- Unknown risks – open source software downloaded in an uncontrolled manner
- Serious exposure – software that installs itself unknown to you
Serious IT departments have sophisticated change and configuration management solutions designed to protect production systems from rogue changes but they seem to have a blind spot when it comes to code whose provenance we cannot guarantee.
More and more of our applications contain open source elements, the infrastructure we use is built on more and more open source tools, even the very IDE we are using is likely to be open source. Open source is a wonderful concept but like so many human endeavors, something designed to further humanity can, and all too often does, turn to the dark side.
Develop a risk score card for your next deployment component by component and see where you stand. No artifact in your code base is free from risk, even code written and tested by your team. As we have learned from VW recently, there are surprises lurking in the heart of our code base that can do the business great harm. As Knight Capital showed us, if it is really easy to release good code it is really easy to release bad code too. As Royal Bank of Canada knows, best practices can save embarrassment, ignore them at your peril.
Deploying code requires end to end vigilance. That means scrutiny as code is created, scrutiny as it is changed, scrutiny as it is tested, scrutiny as it is deploy and scrutiny as it is used. We have to have the infrastructure to be our 24×7 scrutineer, to be our guard dogs.
We cannot leave the door open in the world of tech, we have to lock it, bolt it and guard it.