Do all the things like ++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatarSign Up
Get a devDuck
Rubber duck debugging has never been so cute! Get your favorite coding language devDuckBuy Now
Search - "compliance"
Each month my department compiles a 4M row 150 column data table for compliance with a federal agency. Before submitting, we check it against about 400 rules.
The existing system was simply 400 queries that ran in sequence, table-scanning 4M rows each time, taking upwards of 6 hours, which is a huge bottleneck, especially if you have to make changes and rerun. Plus the output was rather one-dimensional.
I built a proper normalized database and created a sort of rules engine, running all 400 rules in one table scan. Not only does it complete in 30 minutes, but the reports generate automatically, and the results can be filtered on several dimensions to aid with root-cause analysis.
Management was pleased.4
Also a big “fuck you” to whoever decided under any circumstance holding the power button down on a computer case meant anything other than shut this mother fucker all the way down and try the fuck again.
Gahhh. When I hold the power button I don’t what you to sleep, I want you to die! I’m electronically smothering your bitch ass. When I’m holding down the power button to restart, the computer should feel like it’s being waterboarded! Like these may be it’s last moments on Earth if it doesn’t act right and get in compliance! No it’s not nap time, it’s time to shut up or shut down...forever!8
In a user-interface design meeting over a regulatory compliance implementation:
User: “We’ll need to input a city.”
Dev: “Should we validate that city against the state, zip code, and country?”
User: “You are going to make me enter all that data? Ugh…then make it a drop-down. I select the city and the state, zip code auto-fill. I don’t want to make a mistake typing any of that data in.”
Me: “I don’t think a drop-down of every city in the US is feasible.”
Manage: “Why? There cannot be that many. Drop-down is fine. What about the button? We have a few icons to choose from…”
Me: “Uh..yea…there are thousands of cities in the US. Way too much data to for anyone to realistically scroll through”
Dev: “They won’t have to scroll, I’ll filter the list when they start typing.”
Me: “That’s not really the issue and if they are typing the city anyway, just let them type it in.”
User: “What if I mistype Ch1cago? We could inadvertently be out of compliance. The system should never open the company up for federal lawsuits”
Me: “If we’re hiring individuals responsible for legal compliance who can’t spell Chicago, we should be sued by the federal government. We should validate the data the best we can, but it is ultimately your department’s responsibility for data accuracy.”
Manager: “Now now…it’s all our responsibility. What is wrong with a few thousand item drop-down?”
Me: “Um, memory, network bandwidth, database storage, who maintains this list of cities? A lot of time and resources could be saved by simply paying attention.”
Manager: “Memory? Well, memory is cheap. If the workstation needs more memory, we’ll add more”
Dev: “Creating a drop-down is easy and selecting thousands of rows from the database should be fast enough. If the selection is slow, I’ll put it in a thread.”
DBA: “Table won’t be that big and won’t take up much disk space. We’ll need to setup stored procedures, and data import jobs from somewhere to maintain the data. New cities, name changes, ect. ”
Manager: “And if the network starts becoming too slow, we’ll have the Networking dept. open up the valves.”
Me: “Am I the only one seeing all the moving parts we’re introducing just to keep someone from misspelling ‘Chicago’? I’ll admit I’m wrong or maybe I’m not looking at the problem correctly. The point of redesigning the compliance system is to make it simpler, not more complex.”
Manager: “I’m missing the point to why we’re still talking about this. Decision has been made. Drop-down of all cities in the US. Moving on to the button’s icon ..”
Me: “Where is the list of cities going to come from?”
<few seconds of silence>
Dev: “Post office I guess.”
Me: “You guess?…OK…Who is going to manage this list of cities? The manager responsible for regulations?”
User: “Thousands of cities? Oh no …no one is our area has time for that. The system should do it”
Me: “OK, the system. That falls on the DBA. Are you going to be responsible for keeping the data accurate? What is going to audit the cities to make sure the names are properly named and associated with the correct state?”
DBA: “Uh..I don’t know…um…I can set up a job to run every night”
Me: “A job to do what? Validate the data against what?”
Manager: “Do you have a point? No one said it would be easy and all of those details can be answered later.”
Me: “Almost done, and this should be easy. How many cities do we currently have to maintain compliance?”
User: “Maybe 4 or 5. Not many. Regulations are mostly on a state level.”
Me: “When was the last time we created a new city compliance?”
User: “Maybe, 8 years ago. It was before I started.”
Me: “So we’re creating all this complexity for data that, realistically, probably won’t ever change?”
User: “Oh crap, you’re right. What the hell was I thinking…Scratch the drop-down idea. I doubt we’re have a new city regulation anytime soon and how hard is it to type in a city?”
Manager: “OK, are we done wasting everyone’s time on this? No drop-down of cities...next …Let’s get back to the button’s icon …”
Simplicity 1, complexity 0.17
Been lurking here for a while. Finally pissed off enough to post.
Been programming in Ada for nearly a decade now. One of the few younger devs who knows the language well. Have a large collection of libraries and tools written in it, open source. Done contract work. Looking to get out of my current line of work, which is medicine, because fuck this recent legal climate. I'm spending all my time dealing with legal compliance and it rapidly changing.
I see a job posting from a company looking for a programmer to mostly write testing stuff for clients. They mostly work with Ada. I've written a whole unit testing and integration testing framework. Perfect. Apply. "You don't have the required skills." Oh... K then.
Wanna guess what I was just offered as contract work. Same company. I guess i'm fucking qualified if you asswipes sought me out to ask me to fix your fucking bullshit.
What the hell is wrong with management and HR in recent years?9
Got bored at work today and tried to write a program to do my job for me. Security and compliance saw it in the logs (trying to run unauthorized program) and came to give me a hug.11
That'd be Linux for sure. I love how it allows its operator to do anything they please, without any lockdown or nannying. How I own the piece of software (given copyright compliance of course), rather than being just (temporarily) licensed to use it. How I can customize it into whatever shape I want. How it allows pretty much anyone to contribute. And redistribution! Yes, the hundreds if not thousands of distributions and appliances that use it! Simply amazing.1
Good news everyone. As of 30th June 2018, PCI compliance demands a minimum of TLS v1.1. Meaning it's illegal for your website to support IE6-1011
It is requested that citizens descriptively name files on their computer, especially with regards to sensitive content.
Thank you for your compliance,
I just almost shat myself.
I altered the wrong database table column...truncated data we are required to keep for government compliance.
Luckily I had exported that table earlier today and was able to recover it all. I'm in need of a very strong drink right about now.12
Once a CEO is 24*7 a CEO. For me it's Chief Experiment Officer
And only dreamers can have that title. One who dreams at night and work it out the following day.
Having a startup is much more than just having an idea
It's about revenue,
It's about value,
It's about team,
It's about impact,
It's about growth,
It's about compliance,
It's about being finance, marketing, HR and tech expert at the same time.
It's about respect the supporters,
At the end it's about the money you earn as an individual.
For playing all the above roles, you need to dream real big.
To me startup is about falling in love with your work first.
By an Indian CEO2
Requested an installer for Photoshop for my personal laptop...bcoz of compliance n licensing issue..they gave me company macbook air instead... Ok no problem 😁
You know GDPR compliance is going to create a whole new form of scam where scammers impersonate users and send data requests to companies to get people's info.11
me: the source code is currently store on GitHub and we use GitHub Actions after each updates to compile your code into binary before deploying to your servers
client: storing source code on GitHub (external server) is insecure and breaks compliance
me: so i guess you will need to have a copy of the source code on all your servers and build them directly there (too cheap to have a separate build server) instead of using GitHub Actions
me: keep in mind that all your certificates and tokens are going to be store as plain text in all your servers so if a hacker gain access to anyone of your servers, they will have access to everything.
client: yeah, this is in compliance to our security policy4
One company sent me GDPR compliance email with title "WE CARE ABOUT YOUR PRIVACY". Well, CC'd all 500 recipients...
Yesterday I was auditing my Win10 workstation for DoD/NSA compliance. I modified the wrong registry in the group policy and write-protected my C drive. That was a trip.2
Am I the only one who doesn't judge a programmers contributions by commits or change history?
Frequently I'm always near the bottom of contributors, because I don't make a million commits when it's broken. And I don't commit lines that will likely disappear in later commits. I like to finish a function, test it, check it, rework, and then make a "made function()" commit, as apposed to:
"Wrote unit tests for function()"
"Style guide compliance"
Sorry that I keep my commit history clean and ensure it builds.7
So there is a WP plugin for GDPR conformity. True to form of the shitty WP plugin ecosystem, it has a major security hole that allows taking over the WP installation:
Whelp. I started making a very simple website with a single-page design, which I intended to use for managing my own personal knowledge on a particular subject matter, with some basic categorization features and a simple rich text editor for entering data. Partly as an exercise in web development, and partly due to not being happy with existing options out there. All was going well...
On my TODO-list: Comment and/or upvote system, spoiler tag, GDPR compliance (if I ever launch it haha), data-limits, a simple user action log for admins/moderators, overall improved security measures, refactor various controllers, clean up the code...
It STILL uses a single-page design, and the amount of feature requests (and bugs) added to my Trello board increases exponentially with every passing week. No other living person has seen the website yet, and at the pace I'm going, humanity will have gone through at least one major extinction event before I consider it "done" enough to show anyone.
Why isn't this ready for testing yet?
Could it be that despite multiple meetings emails and face to face conversations none of you have provided me with what I actually need?
Yes I can create you new email and SMS campaigns. But I need two little things first.
1 The template text.
2 The sign off forms from compliance
Without them I can't do shit. So stop chasing me on where we're at because I've been chasing you on this for two weeks.
This shit here is why I'm the grumpy It guy.
You always think of the young buck, fresh-out-of-school hotshot devs as being the ones who are obsessed with chasing the Hot New Thing at the cost of stability and maintainability, but our head of front end is old enough to be my father and he's only getting worse and worse about forcing buzzword compliance on the company. New framework every six months. New language every two years. Containers on VMs on cloud boxes. I've got milk in my fridge that's older than our tech stack and probably twice as stable.
Apparently age only brings wisdom if you're capable of giving a fuck.6
Today is Day Two of my Dev Ops Internship.
The only tasks I have been assigned today is GDPR compliance training, which I did not realize could be stretched out into so much repetitive detail.
I also sat in a meeting with a dev who committed his artifact builds to git and now needs us to remove them for him.
Also, I keep getting called Dylan. My name is not Dylan.1
Asked to do reporting on all of our workstations and servers patching compliance. Invited to team meeting with head administrator which should know where this data is stored and how to get to it. After five minutes can already tell this guy is all talk and has no clue about anything. To make matters worse he has a list of certifications and qualifications in his email signature. I figure out on my own where the data is, how to get access to it, and build reports which show just how terrible the head administrator is at patching and in general just useless. Roll forward two months, his boss comes and tells me useless admin has been let go and that I'll have a new admin to work with that actually knows stuff. HOW DO THESE PEOPLE GET HIRED!?
Asked a client how they were getting on with the GDPR preparations, knowing they sometimes ask me to check documentation and such.
them: "Whats the GDPR"
me: "its the new European privacy law coming near the end of May, its ok, most of the work should be covered by your PCI DSS compliance paperwork with a few tweaks."
them: "oh, we just pay the non-compliance fee for that"
me: "wait what? well whose your data controller registered under the ICO required due to cctv being used"
them: "oh isnt that optional?"
me: "ok so heres my hourly, or i can quote for the whole compliance project"
I know not everyone is tech minded and GDPR hasnt been that well advertised, but jeez...1
Time to switch to offline and hide in some dark corner to get work done. Tired of all the IM’s and coming over to my desk from 1 person for “critical” work. If they’re all critical then none of them are truly critical. If you sit on the data for 2 months, and then today is the day it becomes critical and the compliance issue is because of your ineptitude then its a you problem not an IT problem. Then on top of that you submit your data to be loaded in the incorrect request form and spreadsheet format you can go fuck yourself asking this be done in an hour. It could be done in 15 minutes if you had it in the correct format as specified in the 20 meetings over the past year which removed all manual analysis and automated the entire process you idiot. Now I have to get it into the correct format in that hour so I don’t have to do the analysis for you.
I have other things to do besides your etl tickets, like finding the actual problems in our actual critical applications. You know the ones where the VP’s of this giant corporation start calling if they go down.
Sorry for the rambling guys.
I really need to vent. Devrant to the rescue! This is about being undervalued and mind-numbingly stupid tasks.
The story starts about a year ago. We inherited a project from another company. For some months it was "my" project. As our company was small, most projects had a "team" of one person. And while I missed having teammates - I love bouncing ideas around and doing and receiving code reviews! - all was good. Good project, good work, good customer. I'm not a junior anymore, I was managing just fine.
After those months the company hired a new senior software engineer, I guess in his forties. Nice and knowledgeable guy. Boss put him on "my" project and declared him the lead dev. Because seniority and because I was moved to a different project soon afterwards. Stupid office politics, I was actually a bad fit there, but details don't matter. What matters is I finally returned after about 3/4 of a year.
Only to find senior guy calling all the shots. Sure, I was gone, but still... Call with the customer? He does it. Discussion with our boss? Only him. Architecture, design, requirements engineering, any sort of intellectually challenging tasks? He doesn't even ask if we might share the work. We discuss *nothing* and while he agreed to code reviews, we're doing zero. I'm completely out of the loop and he doesn't even seem to consider getting me in.
But what really upsets me are the tasks he prepared for me. As he first described them they sounded somewhat interesting from a technical perspective. However, I found he had described them in such detail that a beginner student would be bored.
A description of the desired behaviour, so far so good. But also how to implement it, down to which classes to create. He even added a list of existing classes to get inspiration or copy code from. Basically no thinking required, only typing.
Well not quite, I did find something I needed to ask. Predictably he was busy. I was able to answer my question myself. He was, as it turns out, designing and implementing something actually interesting. Which he never had talked about with me. Out of the loop. Fuck.
Man, I'm fuming. I realize he's probably just ignorant. But I feel treated like his typing slave. Like he's not interested in my brain, only in my hands. I am *so* fucking close to assigning him the tasks back, and telling him since I wasn't involved in the thinking part, he can have his shitty typing part for himself, too. Fuck, what am I gonna do? I'd prefer some "malicious compliance" move but not coming up with ideas right now.5
Ironic considering they are literally making money off of GDPR compliance, I can't be fucked to report them, but I truly hope somebody makes them choke a knife.4
I'm working with a consultant group at my company to implement a new authentication strategy for our entire platform.
The senior dev lead from the consultant group has 25+ years consulting and claims to have written a web browser for the blind and all sorts of in-depth accessibility things.
Stakeholders tell us "Don't forget about accessibility compliance on this project"
Senior dev lead with all this claimed accessibility experience asks me, "What does accessibility mean?"2
I write web software that gets sold to enterprise customers. A major part of the work flow is running reports that get exported as PDFs that users have to keep track of for compliance purposes. Just under a week ago, a select few reports quit printing. Once the issue worked its way through the red tape and eventually got to the point where a developer (me) could/had to look at it and pull server logs, I noticed that the report was trying to access a column that I had just created a week or so ago.
We have a six week release cycle. Six is a bigger number than one.
Turns out the production reports server was pointed at the preview environment which has a release cycle of whatever the fuck we want. To compound the problem, our operations team had a national holiday, so running reports was broken a full day before anything could be done. Then the next day, when the ops person got into the office, it took a few hours to convince them that yes this is a problem and yes this needs to be fixed.
But of course midday deployments/restarts of anything ever is out of the question. Chalk up another day of downtime. And of course we *just* sold to a new major customer.
Happy onboarding week guys.1
Taking required compliance training on preventing bribery and money laundering...
Me: we need to manually prevent it? How well has that worked in the past.... And you know with Russia...
All that mandatory bullshit, where they're trying to take the most boring thing ever (ie policies), and gamify it, throw shitload of multimedia on it, make it interactive and think anybody is going to care.
I don't want to watch your fucking videos where employees are trying to enact policy violations.
I'm not going to follow the policies and cooperate with HR as they're not to be trusted in a first place.
Where the hell is the "skip bullshit" button, which takes me to the end of the training, where I click the "I Acknowledge" button, because agreement/liability confirmation is the only thing they're after anyway.2
Taking mandatory corporate compliance training that says what things I am not allowed to do...
BUT it's actually quite interesting because I never knew you could do these and well it's starting to give me ideas....
Seriously trying not to fall asleep during compliance training at work....there's SIX HOURS worth of content each employee has to go through annually on their bday month....it's making me so slee....😴1
first some background. I'm an intern coming in on the end of my internship (tomorrow's my last day). I've been working on a reasonably important project, more specifically a restful API. We have automation set up so that any commits to master on GitHub are pushed out into a live, accessible version. Some guy (let's call him dumbass) joined our team last week, and has had a few ideas
Dumbass: *opens pull request to my repo*
My boss: *requests changes*
Me: *requests different changes*
(All this before even testing his code, mind you)
Dumbass: *makes requested changes*
Me: *approves changes*
A day passes
My boss: *approves changes*
Me (not even 10 seconds after my boss approved changes): *requests more changes*
(Still haven't tested his code, I just ran A PEP8 compliance test)
Dumbass: *MERGES CHANGES TO MASTER*
Literally EVERYTHING breaks because he was importing a module that's not available
We don't notice until later that day (I'm still working on writing the tests for the automation, for now changes get put on live version even if everything breaks -- tool is still in beta, so everyone working on it (a whole 3 people) knows to TEST THEIR SHIT BEFORE MERGING TO MASTER.)
WHY EVEN BOTHER WITH THE PULL REQUEST IF YOU WERE GOING TO MERGE TO MASTER YOURSELF ANYWAY??!??!??
My frustration cannot be properly conveyed through text, but let's just say this guy's been there a week, I already didn't like him, and then he fucking does this.
What the hell is the point of this small projects team spending 2-3 months on developing extensive logging system for an internal application for inside and outside customers to use if your application isn’t going to log any of the fucking errors. Sure you write the failure status to the database, but it just says failure with an even more vague explanation than microsoft’s errors. “An error occurred”. No shit, that’s why I’m looking in the logs and database to debug the application to get these files on their merry way so our company can stay in compliance with the state, feds, and not pay out the wazzoo in fines. All our other applications state where the error occured such as “failed to connect to the email server”, why can’t this one.
What would you do if you discover a major security flaw in an enterprise product that claims to be secure and has GDPR compliance? Like a really major flaw in a core feature of the product!9
Oh! Damn No No Nooooo
Our team was working on upgrading our infrastructure for PCI Compliance for two months. Did all assesments and testing and waiting for long approvals. Finally, we finished all upgradation smoothly.
After we submitted our report to Infrastructure and that guy comes with Audit reports stating that the PCI Compliance requirements has changed.
And we were like we just upgraded a few hours and how come it changed. And we have to the whole job again. Just want to flip tables now.1
meeting was about how we as developers should abide by the rules that compliance set forth. we argued that we cannot do our jobs if they block access and configuration on our development systems. they dont realize that our dev boxes are configured organic in nature to allow for those stupid deadlines.
Imagine the nooblet hell it would create if Python would throw actual errors all over the place if pep8 has been violated...
sidenote: I post this rant because I had to help my girlfriend and her project partner (for her study) because partner refuses to write readable code (no comments in the code at all as well) and both refuse to write in compliance with pep8 "because it's useless"5
Man I'm annoyed!
TL;Dr what does it mean "we're trying to reduce options to a minimum", why don't you go closed source!? why don't you remove themes!?
For anyone who uses rofi, they would know that a few months ago an update made it more compliant with the free-desktop spec, that it only uses the first .desktop file for the given Name tag.
I only found out about this recently as I was only able to update Manjaro recently, and it really annoyed me, cause it took me a while to figure out why tons of my desktop entries disappeared.
Turns out someone made an issue about this, and the given answer was: "that's against the spec". Ok, fine. But when I asked if they could add an option to still ignore that aspect of the spec (i.e. --show-duplicated), the response I got was: "going against the spec is a no-go". WHAT!?
There are so many things that have behavior that goes against the spec (ex. gnu-utils), why can't they add an option to do this!? An OPTION!?
When I decided to try (I don't know C yet) and make a PR, the first and last (it got locked afterwards!) comment I got was:
" As explained on #941, this is a no-go. We want to reduce the number of options to the minimum, and non-compliance to a well-defined and widely implemented spec is definitely not something we want."
Why are you so closed minded!? Yes compliance is amazing, but it's not a safety standard, it's okay if you *give an option* to go against the spec!!!!
WHAT THE HECK!?!?!? WHY!?!?!?
Why is a open source project closed to new features that are part if the scope of the project, and require minimal maintenance!?11
How did you get the people from Info Security and Compliance on board this continuous delivery thing ?
I am being asked to run antivirus scans on my own code and binaries as part of build.
Is this common practice? Am I missing something?
I am going to deploy stuff on Azure PaaS. I can understand having malware scan agent on azure VMs scanning the infra, but this?4
TLDR, need suggestions for a small team, ALM, or at least Requirements, Issue and test case tracking.
Okay my team needs some advice.
Soo the powers at be a year ago or so decided to move our requirement tracking process, test case and issue tracking from word, excel and Visio. To an ALM.. they choice Siemens Polarion for whatever reason assuming because of team center some divisions use it..
Ohhh and by the way we’ve been all engineering shit perfectly fine with the process we had with word, excel and Visio.. it wasn’t any extra work, because we needed to make those documents regardless, and it’s far easier to write the shit in the raw format than fuck around with the Mouse and all the config fields on some web app.
ANYWAY before anyone asks or suggests a process to match the tool, here’s some back ground info. We are a team of about 10-15. Split between mech, elec, and software with more on mech or elec side.
But regardless, for each project there is only 1 engineer of each concentration working on the project. So one mech, one elec and one software per project/product. Which doesn’t seem like a lot but it works out perfectly actually. (Although that might be a surprise for the most of you)..
ANYWAY... it’s kinda self managed, we have a manger that that directs the project and what features when, during development and pre release.
The issue is we hired a guy for requirements/ Polarion secretary (DevOps) claims to be the expert.. Polarion is taking too long too slow and too much config....
We want to switch, but don’t know what to. We don’t wanna create more work for us. We do peer reviews across the entire team. I think we are Sudo agile /scrum but not structured.
I like jira but it’s not great for true requirements... we get PDFs from oems and converting to word for any ALM sucks.. we use helix QAC for Misra compliance so part of me wants to use helix ALM... Polarion does not support us unless we pay thousands for “support package” I just don’t see the value added. Especially when our “DevOps” secretary is sub par.. plus I don’t believe in DevOps.. no value added for someone who can’t engineer only sudo direct. Hell we almost wanna use our interns for requirements tracking/ record keeping. We as the engineers know what todo and have been doing shit the old way for decades without issues...
Need suggestions for small team per project.. 1softwar 1elec 1mech... but large team over all across many projects.
Sorry for the long rant.. at the bar .. kinda drunk ranting tbh but do need opinions...
Trying to complete a compliance course by taking vpn from client site. The internet is so slow, a video of 1:20 has reached 0:47 in the last 20 mins. The whole course is 60 min long. How am I gonna compete this course!1
When you can’t correct a grammatical mistake in some copy because it has already gone through compliance 🙄1
Company denied me access to geckoboard stating compliance. Damn, created a self one with gridster & dashing. Now, they want me to make it reusable. .