IT due diligence and software quality for fintech startups

SZ
www.softwarezaken.nlwww.startupjuncture.com
SOFTWARE AUDIT AND DUE
DILIGENCE FOR STARTUPS
Invited talk at Startupbootcamp FinTech, London, October 8th 2014
By Sieuwert van Otterloo

SZ
About Sieuwert van Otterloo
Current activities:
• IT strategy consultant since 2005 (McKinsey, SIG)
• Startup enthusiast since 2010 (investor, journalist,
occasional entrepreneur)
• IT-legal expert

SZ
Secondly: Share tips and
tricks related to quality and
audits
Goals tonight
Most importantly: Helping you
gain your customers’ trust through
focus on quality

SZ
Agenda
1. Banks
and
quality
2.
Startups
and
quality
3.
Managing
audits
4.
Reaching
quality
“Your customers
care about your
software”
“You
should
care”
“Minor tips and
tricks”
“Important tips
and tricks”

SZ
1. Corporates and IT quality
• Enron: went from $ 70 billion to zero in a
couple of months
• Biggest accounting scandal in history,
second biggest bankruptcy
• Caused a change in regulations:
Sarbanes-Oxley
senior executives take individual
responsibility for the accuracy and
completeness of corporate financial
reports
requires that the company's "principal
officers" (typically CEO and CFO) certify
and approve the integrity of their company
financial reports

SZ
Legacy problems
Then:
• Computer systems are not
developed to run forever.
• Before 1990, taking 4 digits to
store a year seemed a waste
of space
Now:
• It is incredibly hard to migrate
data out of live systems
• It is incredibly hard to replace
old COBOL systems: systems
from 1980 are still running in
banks!
1956: IBM harddrive

SZ
IT failure happens often...
LOS ANGELES (AP) — Flights to and from airports in the
Los Angeles area were grounded for more than an hour
Wednesday due to a computer failure at an air traffic control
facility in the region, the Federal Aviation Administration
said. The problems rippled nationwide. […]
The ERAM system is critical to the FAA's plans to transition
from a radar-based air traffic control system to satellite-
based navigation, but its rollout is years behind schedule
and hundreds of millions of dollars over budget.
May 1, 2014 8:51 AM
http://news.yahoo.com/computer-issues-delay-flights-los-angeles-234300027.html

SZ
... And is caused by legacy software
ERAM is replacing another computer
system that was so old that most of
the technicians who understood its
unique computer language have
retired.
May 1, 2014 8:51 AM
http://news.yahoo.com/computer-issues-delay-flights-los-angeles-234300027.html
Image: IBM 3070

SZ
Another case: Denver airport
The airport's computerized baggage system, which was supposed to reduce
delays, shorten waiting times at luggage carousels, and cut airline labor costs,
was an unmitigated failure.
The airport opening was originally scheduled for October 31, 1993, with a
single system for all three concourses. Issues with the baggage system
delayed the opening to February 28, 1995, with separate systems for each
concourse and varying degrees of automation.
The system's $186 million original construction costs grew by $1 million per day
during months of modifications and repairs.

SZ
Team
growth
Selling your
company
Buy another
company
Software maintainability is important for scaling
startups
Idea
MVP
Product /
market fit
Reduce risk of
chaos
Need to pass
due diligence
process
Need to sanitize
and integrate

SZ
Maintenance cost matters more than
development cost for companies
Conservative example:
• The system needs 15% maintenance per year
• The system grows 10% per year
• System lasts 10 years
Result: maintenance costs are 140% higher than development cost
- 15
17
18
20
22
24
27
29
32
35
239
100
0
25
50
75
100
125
150
175
200
225
250
275
build Year 1 Year 2 Year 3 Year 4 Year 5 Year 6 Year 7 Year 8 Year 9 Year 10 Total

SZ
Dealing with audits, assessments and other
interference

SZ
Assessments are a step towards money
1. A large company
wants to buy your
service
2. Someone wants
to buy your
company
Product focus Company focus

SZ
... Or a clear signal of trouble
• Project termination
• Crisis management
• blame assignment

SZ
A good assessment process includes context
System
context and
business
strategy
Risks
Quality
Economics
Is the input for
determining …
Are the basis
for…
Conclusions
Code
Review and
factfinding
Recommen-
dations

SZ
How not to deal with an assessment
Develop a system as fast as
possible at minimal cost
OK, here it is
Can you audit the system?
What quality standards did you
demand?
What quality standards did you
use?
None, we focused on cost and
speed
We asked nothing special, but
we expect a fit for use system
conforming to industry best
practices
Client SupplierAssessor
Let’s report a lot of findings to
show that we worked really
hard

SZ
A better way to deal with assessments
Develop a system as fast as
possible at minimal cost Here is our own standard, is that good enough
for you?
What quality standards did you use?
We agreed on this standard. We checked to
code and it complies. Let us know if you find
any issues
We worked really hard and have
these findings
Well done! We do not see major risks, but if
needed we have a quality process and can fix
these in the next release.
The quality is what has been agreed,
and will be even better in the next
release
Client SupplierAssessor

SZ
How to deal with due diligence
1. You cannot determine the outcome directly but you can influence the
process: you can set conditions before you provide your data.
2. Keep it short by starting late: Do not start the assessment before the other
deal details are sorted out
3. Ensure the goal is limited: For instance to determine whether the software
has issues that cannot be fixed and cause major risks
4. Ensure involvement: Auditors should listen to your side, share and discuss
findings before reporting any issues.

SZ
How to reach quality?
... perfection is finally attained not when
there is no longer anything to add, but
when there is no longer anything to take
away ...

SZ
ISO 25010 is the official standard for software
quality
ISO 25010:
Software
product quality
Functional
suitability
Reliability
Performance /
efficiency
Operability
Security
Compatibility
Maintainability
Portability
Visible Invisible

SZ
Official standards for security
• ISO 27001 : formal, heavy
framework
• SANS: open initiative with good list
of controls
• OWASP: open initiative with a good
top 10

SZ
Step 1: joint ownership and responsibility
• Everyone in the team should
feel comfortable explaining
each line of code
• All founders should be
interested in the code on
which the company runs

SZ
Step 2: quality process
• Know and use agile, scrum and SAFe
• Build a working system at least every two weeks
• Agree on code quality standards
Structure
Tools
Mindset
• Create a fully automated daily build process
• Use automated tools (checkstyle, FxCop, Simian, PMD, Sonar)
• Monitor issues daily
• Address root causes of issues in retrospectives:
• Training needs for new and current developers
• Important refactoring actions
• Adjustments to quality standards

SZ
Measure – measure – measure: volume
Very small Nice and
small
Hard to
handle
Impossible
< 10.000 lines
of code
< 100.000
lines of code
Less than
500.000 lines
of code
>500.000
lines of code

SZ
Putting volume into perspective
0
1 1
6
7
5
10
8
12
18
11
10
1 1 1
0
0
2
4
6
8
10
12
14
16
18
20
A
100-200
B
200-500C
500-1kD
1k-2kE
2k-5kF
5k-10k
G
10k-20k
H
20k-50k
I50k-100k
J100k-200k
K
200k-500k
L
500k-1MM
1M
-2MN
2M
-5M
O
5M
-10MP
10M
-up
Nr.ofsystems
Volume in lines of code
System volume

SZ
Measure, measure, measure – actual
technologies used
Java
Simple
stack
Java
Complicated
stack
Javascript S
he
ll
C
‘Legacy’ stack
XML
PL/SQL
php perl
Java XSLT
x8
6
Java system 1 Java system 2 Java system 3

SZ
Measure, measure, measure: Duplication
Found 185 duplicate lines in the following files:
Between lines 29 and 235 in /java/jabref-2.9.2/src/java/net/sf/jabref/export/layout/format/FormatChars.java
Between lines 31 and 239 in /java/jabref-2.9.2/src/java/net/sf/jabref/oo/OOPreFormatter.java
Found 194 duplicate lines in the following files:
Between lines 130 and 397 in /java/jose-144-source/java/de/jose/util/Metaphone2.java
Between lines 129 and 396 in /java/jose-144-source/java/de/jose/util/Metaphone.java

SZ
Measure, measure, measure: Complexity
Source: SweetHome 3D, fileOBJWriter.java
Best: less than 7
decision points per
method (128 paths)
Mediocre: less than 10
(1024 paths)
This code: 36 decision
points (
68,719,476,736 paths)
public boolean equals(Object obj) {
if (obj instanceof ComparableAppearance) {
Appearance appearance2 = ((ComparableAppearance)obj).appearance;
……..
if (!color1.equals(color2)) {
return false;
} else if (material1.getShininess() != material2.getShininess()) {
return false;
} else if (material1.getClass() != material2.getClass()) {
return false;
} else if (material1.getClass() == OBJMaterial.class) {
OBJMaterial objMaterial1 = (OBJMaterial)material1;
OBJMaterial objMaterial2 = (OBJMaterial)material2;
if (objMaterial1.isOpticalDensitySet() ^ objMaterial2.isOpticalDensitySet()) {
return false;
} else if (objMaterial1.isOpticalDensitySet() && objMaterial2.isOpticalDensitySe
&& objMaterial1.getOpticalDensity() != objMaterial2.getOpticalDensity(
return false;
} else if (objMaterial1.isIlluminationModelSet() ^ objMaterial2.isIlluminationMo
return false;
} else if (objMaterial1.isIlluminationModelSet() && objMaterial2.isIlluminationM
&& objMaterial1.getIlluminationModel() != objMaterial2.getIllumination
return false;
} else if (objMaterial1.isSharpnessSet() ^ objMaterial2.isSharpnessSet()) {
return false;
} else if (objMaterial1.isSharpnessSet() && objMaterial2.isSharpnessSet()
&& objMaterial1.getSharpness() != objMaterial2.getSharpness()) {
return false;
}
}
}
}
}
}

SZ
Other important aspects
• Missing exception handling
• TODO comments
• Long ‘do-it-all’ files
• Memory actions and leaks
• Safe use of user strings
• Complex queries
• Code copyrighted by others
• Queries as strings
• URL manipulation
• Input validation

SZ
Conclusions
Software quality is important for any growing or grown company
Once people care, you can achieve quality
By managing the process, you can pass audits and gain your customers’
trust

SZ
Thank you!
IT strategy
maintainable
software
Starting with agile
/ scrum
Lean startup
Secure software
development
Call or mail me:
otterloo@gmail.com
+31 6 1050 9674
Lean startup for
corporates
Startup search &
selection
IT contracts
IT management
for non-IT

IT due diligence and software quality for fintech startups

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (13)

Similar to IT due diligence and software quality for fintech startups

Similar to IT due diligence and software quality for fintech startups (20)

Recently uploaded

Recently uploaded (20)

IT due diligence and software quality for fintech startups