DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Join us tomorrow at 1 PM EST: "3-Step Approach to Comprehensive Runtime Application Security"
Save your seat

Does the Rogue Developer Really Exist?

Zone Leader, John Vester, thinks about separation of duties and wonders what is really being protected against with this philosophy.

John Vester user avatar by
John Vester
CORE ·
Feb. 17, 17 · Opinion
Like (1)
Save
Tweet
Share
19.97K Views

Join the DZone community and get the full member experience.

Join For Free

We've all seen the movies or read the books, where a wicked-cool computer programmer goes rogue and changes the code for some reason. Hollywood's glamorization of how we program often makes our jobs look way cooler than reality, too. The technological wonder uses coding skills and knowledge to circumvent processes put into place for the protection of the corporation, it's assets, etc. Typically, in these storylines, the programmatic changes made save some aspect of the world in the process. The question is, does this person or situation really exist in the real world?

Frustrations from Standards and Practices

I was working for a Fortune 500 company when Sarbanes-Oxley (SOx) went into effect. As an Information Technology resource, I was expected to quickly get up to speed on the technology aspects of being SOx-compliant. One of the biggest challenges that existed at that time was that developers had access to production or had the ability to push changes into production environments. SOx presented the idea of separation of duties so that the person writing code isn't the same person pushing the code into production.

When I take a step back, this idea seems to have stemmed from accounting practices. When I think about the Big Eight, to Big Six, to Big Five, to Big Whatever accounting firms that were leading the SOx effort, I am not surprised this practice was inherited by Information Technology. On paper, it just made sense and was an easy translation that made executives (or the powers that be) happy. However, this concept led to frustrations when trying to fit everything into this same (very small) box.

As an example, I might have a simple service that is a tool to assist other development teams. While the function of the tool has nothing to do with the core business or interact with any proprietary data, it provides value to the teams and reduces a great deal of duplicate work. I can write the code and use a Pull Request (PR) process to have my changes reviewed and approved by other developers. From there, I can use my favorite CI/CD tool to push the code into the non-Production environments before pushing the button to update the Production instances. However, according to SOx compliance, I need to reach out to another person to actually push the button for the code to be deployed.

The Reality

In this implementation, I feel like the process is protecting against a rogue developer (or situation) that doesn't exist. So, we are putting in safeguards to handle that < 1% chance that someone is going to do something unethical. This is in contrast to most Information Technology teams who attempt to handle 80% of the needs first, then focus on the next 20% as it makes sense to the corporation.

Of course, people make mistakes, but those mistakes should be caught in the PR process, or in the deployment to a non-Production environment. If I had a guy in Dev Ops pushing the button to deploy code into Production, that individual is going to just push the button ... not look into the code first. That is the reality I still see today. Sometimes, the button pusher is someone who does not have the ability to comprehend the code being deployed.

So, we are back to protecting against that rogue developer, who in my 25+ years of experience in Information Technology has never existed. I mean, think about it, the risk imposed for going rogue far outweighs the reward that can be gained from such an effort. This would include time behind bars, plus losing all credibility in a technology world connected heavily by social media.

Conclusion

My goal here is not really to take on policies that impose the separation of duties within Information Technology. My goal is to think about what is being asked and what is truly being protected with such policies. On paper, in a boardroom, or in front of a symposium of congressmen, this may make sense. However, the reality doesn't seem to match the expectations. At least, in my view.

Have a really great day!

dev IT

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • Integration: Data, Security, Challenges, and Best Solutions
  • How to Cut the Release Inspection Time From 4 Days to 4 Hours
  • DevOps Roadmap for 2022
  • Easy Smart Contract Debugging With Truffle’s Console.log

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: