|

 
|
| | Name : | Ron Crane | Organization : | N/A | Post Date : | 9/30/2005 |
| Section : | .20.1.4 | Page no. : | | Line no.: | | Comment : | 7d.
d. Vol. II, §1.4(a) introduces further ambiguity about code review when it says that the testing process includes
Code review for selected software components
Why are only "selected software components" subject to code review?
But Vol. I, §1.7.1.2 seems somewhat to contradict this, saying that
Specialized software for ballot preparation, election programming, vote
recording, vote tabulation, vote consolidation and reporting, and audit trail production shall be subjected to code inspection.
Which is it? It would appear that software whose professed purpose does not concern "ballot preparation" need not be inspected, even if it runs in the same environment as software that must be inspected. An unscrupulous vendor can use any uninspected
software, whatever its professed purpose, to cheat.
For security purposes, limited code
review has very limited usefulness, and should be replaced by a regime of
comprehensive review. | |
|
|