I had an interesting security-related discussion at work. A third party assessment organization (3PAO) asked me some questions related to TFS metrics. The first control they asked for backup documentation for was a complete listing of all work done in the last six months on my project. I scoped it around my team's application in TFS and pulled both the stories and bugs, which we keep in separate instances. Our Release Management Team tends not to care about our stories. They want to see bugs and hot fixes to which those bugs are tied. I hear aspects of that will be remedied as we upgrade TFS (we should be able to tie across instances), but for now, it's as it is.
The 3PAO took my list of bugs and stories and went away for a while. Then they came back and gave me a list of approximately twenty (20) of the items in my original list of thousands and said (via email - they're remote, so there's not much in-person communication, although I strive for that given other miscommunication), “Give us the hotfix info on these.”
I said, “Those aren’t hot fixes.”
They said, “Ah, you didn’t have any hotfixes.”
I said, “No. You asked for all work. Not all work is hot fixes. Your chances of randomly pulling work connected to a hot fix is pretty low.”
They responsed, “So none of these are hot fixes.”
Me, “None of those are hotfixes.”
The 3PAO “So you didn’t have any hot fixes in the last six months.”
Me “We had hot fixes, but you didn’t randomly pull a hot fix from the work completed.”
The 3PAO, “We’ll pull again.”
Me “No, that’s like trying to play Powerball.”
Them “We’ll do it anyway.”
Me, nuts by now because this paraphrasing is a distillation of the hundreds of words actually exchanged in each email, “Here are all the hot fixes from the last six months and the associated files and approvals and reviewers.”
The 3PAO, “We still need to pull a random list."
Me, “You do that, and compare each item you pull against what I just sent you. If it’s not in there, pull randomly again until you get one.”
That seemed to take care of the problem. Overall, it made me very glad I'd coded up the TFS pull in C# so that I could modify what I was sending them each time with little report work in TFS.
No comments:
Post a Comment