ukncsc / secure-development-and-deployment Goto Github PK
View Code? Open in Web Editor NEWNCSC Guidance for secure development and deployment
NCSC Guidance for secure development and deployment
I disagree that
individuals can also peer review their own code
If I am attempting to peer review my own code, then I have simply not finished writing and testing my code.
5-protect-your-code-repository.md:
"Limit exposure & access to your repository
Technically enforce a model of least privilege for who can read and make changes to your code repository. Only permitted individuals should be able to view and make changes, and all activity should be attributable. For some use cases, it may be appropriate to 'code in the open', but consider the impacts first."
The paragraph above can be summarised into "code in private by default and open when appropriate". It is a radically different spirit than "code in open and close when appropriate" that has been recommended for years by GDS. See articles below.
As a consumer of these two clashing recommendations, I'm confused and it will make my stakeholders even more confused and choose the NCSC recommendation by default.
GDS - Coding in the open
https://gds.blog.gov.uk/2012/10/12/coding-in-the-open/
GDS - The benefits of coding in the open
https://gds.blog.gov.uk/2017/09/04/the-benefits-of-coding-in-the-open/
GDS - Coding in the open makes better code
https://gdstechnology.blog.gov.uk/2017/07/18/coding-in-the-open-makes-better-code/
MOJ Digital & Technology - Why we code in the open
https://mojdigital.blog.gov.uk/2017/02/21/why-we-code-in-the-open/
They are very similar, and to be honest developer machines are effectively a component in the development pipeline anyway (though they are more distributed).
Is there an argument to expand [1] to include things like:
While this guidance is explicitly targeted to teams practising continuous delivery, it might be worth noting (maybe in section 8), that you should be able to fix and deploy quickly.
There is no point identifying a problem quickly if it takes you 6 months to get a fix out to Prod.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.