Gary Frost discusses the risks of software failures in financial services and argues for embracing continuous delivery to reduce risks. He outlines how traditional development practices led to failures due to high velocity and risks. Regulations increased controls but also reduced agility. Automating testing, deployment and maintaining a living architecture can balance velocity and risk. Financial services must evolve practices or risk disruption from innovative fintech companies moving faster through continuous delivery.
Continuous Delivery - The ING Story: Improving time to market with DevOps and...CA Technologies
ING Bank implemented continuous delivery and DevOps practices to improve their software delivery cycle. This allowed them to reduce time to market from over 20 weeks to just 4 days by automating testing, deployments, and enabling developers and operations teams to work together. Some challenges included changing organizational culture and mindsets, acquiring talent with continuous delivery skills, and ensuring supplier alignment with more frequent releases. Continuous delivery provided business benefits like increased release frequency, fewer outages, and improved customer experiences, but risks like security need ongoing attention for systems handling financial services.
DOES SFO 2016 - Topo Pal - DevOps at Capital OneGene Kim
In my previous years’ talks at DevOps Enterprise Summit, I spoke about starting and scaling of DevOps at Capital One; importance of Open Source, Open Technology and Innovations in DevOps.
This year, I will present Capital One’s journey of maturing in DevOps and Continuous Delivery. My presentation will cover our current areas of focus: Delivery Pipeline, Flow and Measurements. I will also share some of the problems we faced and what we did to solve them.
DevOps and Continuous Delivery Reference Architectures (including Nexus and o...Sonatype
There are numerous examples of DevOps and Continuous Delivery reference architectures available, and each of them vary in levels of detail, tools highlighted, and processes followed. Yet, there is a constant theme among the tool sets: Jenkins, Maven, Sonatype Nexus, Subversion, Git, Docker, Puppet/Chef, Rundeck, ServiceNow, and Sonar seem to show up time and again.
Security Best Practices for Mobile Development @ Dreamforce 2013Tom Gersic
This document discusses security best practices for mobile development. It covers fundamental security principles like vulnerability, threat and mitigation. It details security measures in iOS like application sandboxing, permissions and encryption. It also discusses Android security concepts like application components and permissions. The document recommends practices like static analysis, encryption, jailbreak detection and the use of the Salesforce mobile SDK to help secure mobile apps and data.
IBM Power Migration without the Risk and DowntimePrecisely
Whether you are refreshing server hardware to POWER9, reorganizing storage, or consolidating data centers, migration plays an important role in keeping your IBM i environment up to date, efficient, and productive. Yet, IT pros often fear migration projects due to past experiences with intolerable downtime, lack of predictability, and time demands. View this webinar on-demand and learn how Syncsort can help organizations like yours accelerate your migration project, minimize risk and eliminate downtime.
Key topics include:
• What your peers say about their migration challenges
• How to migrate without downtime using replication
• Minimizing migration risk and resource demands
• How Syncsort can help
The growing business pressure to deliver new functionalities and applications faster drives companies to implementing practices such as Continuous Delivery.
In the enterprise, mobile devices and mobile apps need to be secure. A lost or stolen phone or tablet can mean your company data falling into the wrong hands. Join us to explore the security features available on iOS and Android. Learn how app data can be compromised and learn best practices for the development of secure enterprise apps on both platforms.
Continuous Delivery - The ING Story: Improving time to market with DevOps and...CA Technologies
ING Bank implemented continuous delivery and DevOps practices to improve their software delivery cycle. This allowed them to reduce time to market from over 20 weeks to just 4 days by automating testing, deployments, and enabling developers and operations teams to work together. Some challenges included changing organizational culture and mindsets, acquiring talent with continuous delivery skills, and ensuring supplier alignment with more frequent releases. Continuous delivery provided business benefits like increased release frequency, fewer outages, and improved customer experiences, but risks like security need ongoing attention for systems handling financial services.
DOES SFO 2016 - Topo Pal - DevOps at Capital OneGene Kim
In my previous years’ talks at DevOps Enterprise Summit, I spoke about starting and scaling of DevOps at Capital One; importance of Open Source, Open Technology and Innovations in DevOps.
This year, I will present Capital One’s journey of maturing in DevOps and Continuous Delivery. My presentation will cover our current areas of focus: Delivery Pipeline, Flow and Measurements. I will also share some of the problems we faced and what we did to solve them.
DevOps and Continuous Delivery Reference Architectures (including Nexus and o...Sonatype
There are numerous examples of DevOps and Continuous Delivery reference architectures available, and each of them vary in levels of detail, tools highlighted, and processes followed. Yet, there is a constant theme among the tool sets: Jenkins, Maven, Sonatype Nexus, Subversion, Git, Docker, Puppet/Chef, Rundeck, ServiceNow, and Sonar seem to show up time and again.
Security Best Practices for Mobile Development @ Dreamforce 2013Tom Gersic
This document discusses security best practices for mobile development. It covers fundamental security principles like vulnerability, threat and mitigation. It details security measures in iOS like application sandboxing, permissions and encryption. It also discusses Android security concepts like application components and permissions. The document recommends practices like static analysis, encryption, jailbreak detection and the use of the Salesforce mobile SDK to help secure mobile apps and data.
IBM Power Migration without the Risk and DowntimePrecisely
Whether you are refreshing server hardware to POWER9, reorganizing storage, or consolidating data centers, migration plays an important role in keeping your IBM i environment up to date, efficient, and productive. Yet, IT pros often fear migration projects due to past experiences with intolerable downtime, lack of predictability, and time demands. View this webinar on-demand and learn how Syncsort can help organizations like yours accelerate your migration project, minimize risk and eliminate downtime.
Key topics include:
• What your peers say about their migration challenges
• How to migrate without downtime using replication
• Minimizing migration risk and resource demands
• How Syncsort can help
The growing business pressure to deliver new functionalities and applications faster drives companies to implementing practices such as Continuous Delivery.
In the enterprise, mobile devices and mobile apps need to be secure. A lost or stolen phone or tablet can mean your company data falling into the wrong hands. Join us to explore the security features available on iOS and Android. Learn how app data can be compromised and learn best practices for the development of secure enterprise apps on both platforms.
Agile Project Failures: Root Causes and Corrective ActionsTechWell
Agile initiatives always begin with the best of intentions—accelerate delivery, better meet customer needs, or improve software quality. Unfortunately, some agile projects do not deliver on these expectations. If you want help to ensure the success of your agile project or get an agile project back on track, this session is for you. Jeff Payne discusses the most common causes of agile project failure and how you can avoid these issues—or mitigate their damaging effects. Poor project management, ineffective requirements development, failed communications, software development problems, and (non)agile testing can all contribute to a failing project. Learn practical tips and techniques for identifying early warning signs that your agile project might be in trouble and how you can best get your project back on track. Gain the knowledge you need to guide your organization toward agile project implementations that serve the business and the stakeholders.
A Closer Look at Isolation: Hype or Next Gen Security?MenloSecurity
This webinar looks at Isolation from different viewpoints. Learn from a Menlo Security customer, along with John Pescatore, Director of Emerging Technologies at SANS Institute, and Kowsik Guruswamy, Menlo Security CTO, as they explore why organizations around the globe are looking at isolation as the means to protect their users from ever-present web and email dangers.
The document discusses insider threats and cybersecurity. It notes that the biggest threat companies face is from insiders like employees and vendors. While doing nothing on cybersecurity risks costly data breaches and fines, companies should implement regular employee training, vet vendors thoroughly, and create a risk management plan to address vulnerabilities. The presentation provides tools to assess risks like DREAD and STRIDE models and recommends prioritizing the highest impact risks with mitigation strategies and an incident response plan.
Protecting endpoints from targeted attacksAppSense
This document discusses strategies for protecting endpoints from targeted attacks. It begins with an overview of the increasing threats facing organizations from malware and cyber attacks. It then outlines five principles for an effective endpoint security strategy: 1) get organizational endpoints in order through vulnerability management and application control, 2) focus on protecting data rather than infrastructure on unmanaged devices, 3) utilize thin clients and cloud-based solutions, 4) implement a zero-trust approach to authentication, and 5) maintain visibility into endpoint activity. The document recommends implementing application control, patching vulnerabilities, deploying recommended security practices, improving authentication, and integrating network and endpoint security controls. It emphasizes continuing to shift focus to securing unmanaged devices by decoupling protection from infrastructure.
Some of the most famous information breaches over the past few years have been a result of entry through embedded and IoT system environments. Often these breaches are a result of unexpected system architecture and service connectivity on the network that allows the hacker to enter through an embedded device and make their way to the financial or corporate servers. Experts in embedded security discuss key security issues for embedded systems and how to address them.
Staying ahead of a Constantly Changing Environment. A presentation by Tony DeLaGrange, Senior Security Consultant of Secure Ideas, May 2012 to the JAX Chamber IT Council.
Business & Technology: How to Strike the Right Balance for SuccessSalesforce
At salesforce.com, we are committed to thinking differently and constantly pursuing fresh new ideas. Salesforce Services, the world’s highest group of SFDC experts & innovators, hosts knowledge share events to share ideas with those within the professionals services community.
SFDC thought leaders Israel Forst and John Rizzo facilitated a discussion on "Business & Technology: How to Strike the Right Balance for Success", focusing on both the Sales and Delivery perspectives.
Here is the slide deck from their presentation...enjoy!
Supercharge Your Digital Transformation by Establishing a DevOps PlatformXebiaLabs
Although DevOps practices have gained wide adoption across industries, many organizations are still failing in their digital transformation efforts because they focus on tools over people and processes. You can avoid this trap by providing DevOps as a platform that is built and maintained by experts who provide standardized tools, templates, and processes to teams across the organization—regardless of those teams’ roles within the company, the type of applications or environments they work with, or the software delivery patterns they’ve adopted.
A centralized DevOps platform allows developers to leverage predefined delivery processes, so they don’t have to reinvent the wheel to get their apps into Production. It also helps ensure the right processes are followed and the right people are involved at the right times. A DevOps platform can provide both technical users and business stakeholders with end-to-end visibility into the software delivery process—promoting information sharing and collaboration across the organization.
Learn how to successfully implement a DevOps platform in your organization, so that every team gets the tools, templates, and visibility they need to deliver software faster than ever before.
Your database holds your company's most sensitive and important assets- your data. All those customers' personal details, credit card numbers, social security numbers- you can't afford leaving them vulnerable to any- outside or inside- breaches.
This document discusses how IT leaders can better communicate with executives. It finds that executives care most about business imperatives, benefits realization, unplanned outages, risk absorption, and systems critical to the business. IT leaders should focus on discussing strategy, costs, uptime, feasibility, security, and innovation. The document also emphasizes that executives are more concerned with critical service uptime during key business times than overall availability percentages. It stresses communicating cybersecurity risk by assuming sophisticated attacks will succeed and focusing on detection speed. Finally, it provides tips for IT leaders to connect with executives through their assistants, impromptu meetings, shared travel, and persistent engagement.
How To Handle Your Tech Debt Better - Sean MoirMike Harris
Technical Debt, Legacy Code, Legacy Systems … whatever you want to call it, is a common problem. It needs to be surfaced to the people whose lives it affects the most: the users; stakeholders; purse holders; and any other recipients of a poor experience. Through awareness of these issues, these stakeholders can understand and endorse a need to change.
Human made systems which once met a need and now cannot change to meet our emerging needs become like a tail wagging a dog. Who is in control here? The system? We humans created these systems - we ought to be able to change them. Note: this doesn’t just apply to technology.
In this session, Sean introduces a simple yet effective way to identify and prioritise what to work on, in a way which makes most sense for stakeholders and custodians.
- Given by Sean Moir for Ox:Agile Conference 2019.
Architecting in the Cloud: Choosing the Right Technologies for your SolutionJeff Douglas
This document discusses choosing cloud technologies and contains summaries of Appirio cloud solutions, products and services. It also includes case studies on Informa plc and DeVry University that used Appirio's cloud solutions to build applications on Force.com and Google App Engine. The document discusses using future methods in Apex to run long-running transactions and a "heartbeat" pattern to trigger events from outside of Salesforce.
Top 10 Things Logs Can Do for You, TodaySolarWinds
There's no argument that log data is extremely useful for troubleshooting, but what else can it do for you while it sits there consuming space? We'll give you the Top 10 things to look for in your logs that can help spot trouble before it becomes serious.
The document discusses 6 things about cloud computing:
1. Cloud computing has enabled workloads and data to be served from centralized, shared infrastructure instead of individual desktop systems, improving governance and scalability.
2. Enterprise adoption of cloud computing has progressed through stages from trivializing it to full evangelization as its benefits are realized.
3. The cloud provides an integrated platform for applications, data, and users that can securely connect organizations to partners, customers and employees in new ways.
4. Issues around security and data governance in the cloud have been overcome as cloud infrastructure has proven more secure than traditional internal systems and legal access to data is similar worldwide.
Common Mistakes Salesforce Admins Make - #DF13Jared Miller
Salesforce admins commonly make mistakes around data management including not cleaning data before and after imports, not planning for duplicate records, and having overly permissive field level security. Other common mistakes include having too many custom profiles, not managing change effectively through communication and planning, and not understanding users' needs by failing to ask questions and validate requirements.
Business applications like ERP, CRM, SRM, and others are one of the major topic of information security as these applications store business-critical data and any vulnerability in them can cause a significant monetary and reputational loss or even stoppage of business.
There are several myths about Business Applications Security such as:
Myth 1: Business Applications are available only internally.
Myth 2: ERP security is a vendors' problem.
Myth 3: Business Application internals are very specific and unknown to hackers.
Myth 4 ERP security is all about Segregation Of Duties.
Our findings explode these myths.
In this presentation given at Dreamforce 2013 Mike Gerholdt, Garry Polmateer, and Jared Miller give Salesforce Admins advice on managing their Salesforce instance and common mistakes we have made over the years.
The document discusses security best practices for mobile development. It covers fundamental security principles like vulnerabilities, threats, consequences, and mitigations. It also summarizes key similarities and differences between iOS and Android security models. Both platforms use device management, encryption, application signing and sandboxing. However, iOS has a more locked down approach while Android permissions allow more flexibility but with security tradeoffs. The document advocates defense-in-depth strategies like encryption, jailbreak/root detection, and hiding sensitive data from device snapshots.
Bring your Shmoo Balls, we have some juicy opinions on how the federal government should vet cloud services. After going through the FedRAMP authorization process with multiple companies, we have grey hair, scars, and some things to say.
We’ll go through some systemic problems and flag some of those weird controls that have always bugged us, and then when we’ve finished airing our grievances we’ll dig into the tough stuff: what can possibly change? Should it change? Will r5 ever be fully adopted? Should FedRAMP continue to exist?
Shea Nangle is a Director at a cybersecurity consultancy. He has been involved with FedRAMP (as a consultant and working for cloud service providers) since 2014. In 2023, he was recruited for the position of FedRAMP Director but chose to stay in private industry.
Wendy Knox Everette is a software developer & hacker lawyer who is currently the CISO at a healthcare data analytics firm. She has co-authored a peer reviewed article on FedRAMP in IEEE Security & Privacy, as well as another reviewing other security issues caused by control frameworks in NDSS.
How to achieve security, reliability, and productivity in less timeRogue Wave Software
This introductory session lays the foundation for boosting the effectiveness of mission-critical systems testing by covering industry best practices for code security, software reliability, and team productivity. For each area, you will learn how to mitigate the top issues by seeing real examples and understanding the tools and techniques to overcome them. This includes: The value of different testing methods; The importance of standards compliance; and understanding how DevOps and continuous integration fit in.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
More Related Content
Similar to Continuous Delivery for Financial Services from 51zero.
Agile Project Failures: Root Causes and Corrective ActionsTechWell
Agile initiatives always begin with the best of intentions—accelerate delivery, better meet customer needs, or improve software quality. Unfortunately, some agile projects do not deliver on these expectations. If you want help to ensure the success of your agile project or get an agile project back on track, this session is for you. Jeff Payne discusses the most common causes of agile project failure and how you can avoid these issues—or mitigate their damaging effects. Poor project management, ineffective requirements development, failed communications, software development problems, and (non)agile testing can all contribute to a failing project. Learn practical tips and techniques for identifying early warning signs that your agile project might be in trouble and how you can best get your project back on track. Gain the knowledge you need to guide your organization toward agile project implementations that serve the business and the stakeholders.
A Closer Look at Isolation: Hype or Next Gen Security?MenloSecurity
This webinar looks at Isolation from different viewpoints. Learn from a Menlo Security customer, along with John Pescatore, Director of Emerging Technologies at SANS Institute, and Kowsik Guruswamy, Menlo Security CTO, as they explore why organizations around the globe are looking at isolation as the means to protect their users from ever-present web and email dangers.
The document discusses insider threats and cybersecurity. It notes that the biggest threat companies face is from insiders like employees and vendors. While doing nothing on cybersecurity risks costly data breaches and fines, companies should implement regular employee training, vet vendors thoroughly, and create a risk management plan to address vulnerabilities. The presentation provides tools to assess risks like DREAD and STRIDE models and recommends prioritizing the highest impact risks with mitigation strategies and an incident response plan.
Protecting endpoints from targeted attacksAppSense
This document discusses strategies for protecting endpoints from targeted attacks. It begins with an overview of the increasing threats facing organizations from malware and cyber attacks. It then outlines five principles for an effective endpoint security strategy: 1) get organizational endpoints in order through vulnerability management and application control, 2) focus on protecting data rather than infrastructure on unmanaged devices, 3) utilize thin clients and cloud-based solutions, 4) implement a zero-trust approach to authentication, and 5) maintain visibility into endpoint activity. The document recommends implementing application control, patching vulnerabilities, deploying recommended security practices, improving authentication, and integrating network and endpoint security controls. It emphasizes continuing to shift focus to securing unmanaged devices by decoupling protection from infrastructure.
Some of the most famous information breaches over the past few years have been a result of entry through embedded and IoT system environments. Often these breaches are a result of unexpected system architecture and service connectivity on the network that allows the hacker to enter through an embedded device and make their way to the financial or corporate servers. Experts in embedded security discuss key security issues for embedded systems and how to address them.
Staying ahead of a Constantly Changing Environment. A presentation by Tony DeLaGrange, Senior Security Consultant of Secure Ideas, May 2012 to the JAX Chamber IT Council.
Business & Technology: How to Strike the Right Balance for SuccessSalesforce
At salesforce.com, we are committed to thinking differently and constantly pursuing fresh new ideas. Salesforce Services, the world’s highest group of SFDC experts & innovators, hosts knowledge share events to share ideas with those within the professionals services community.
SFDC thought leaders Israel Forst and John Rizzo facilitated a discussion on "Business & Technology: How to Strike the Right Balance for Success", focusing on both the Sales and Delivery perspectives.
Here is the slide deck from their presentation...enjoy!
Supercharge Your Digital Transformation by Establishing a DevOps PlatformXebiaLabs
Although DevOps practices have gained wide adoption across industries, many organizations are still failing in their digital transformation efforts because they focus on tools over people and processes. You can avoid this trap by providing DevOps as a platform that is built and maintained by experts who provide standardized tools, templates, and processes to teams across the organization—regardless of those teams’ roles within the company, the type of applications or environments they work with, or the software delivery patterns they’ve adopted.
A centralized DevOps platform allows developers to leverage predefined delivery processes, so they don’t have to reinvent the wheel to get their apps into Production. It also helps ensure the right processes are followed and the right people are involved at the right times. A DevOps platform can provide both technical users and business stakeholders with end-to-end visibility into the software delivery process—promoting information sharing and collaboration across the organization.
Learn how to successfully implement a DevOps platform in your organization, so that every team gets the tools, templates, and visibility they need to deliver software faster than ever before.
Your database holds your company's most sensitive and important assets- your data. All those customers' personal details, credit card numbers, social security numbers- you can't afford leaving them vulnerable to any- outside or inside- breaches.
This document discusses how IT leaders can better communicate with executives. It finds that executives care most about business imperatives, benefits realization, unplanned outages, risk absorption, and systems critical to the business. IT leaders should focus on discussing strategy, costs, uptime, feasibility, security, and innovation. The document also emphasizes that executives are more concerned with critical service uptime during key business times than overall availability percentages. It stresses communicating cybersecurity risk by assuming sophisticated attacks will succeed and focusing on detection speed. Finally, it provides tips for IT leaders to connect with executives through their assistants, impromptu meetings, shared travel, and persistent engagement.
How To Handle Your Tech Debt Better - Sean MoirMike Harris
Technical Debt, Legacy Code, Legacy Systems … whatever you want to call it, is a common problem. It needs to be surfaced to the people whose lives it affects the most: the users; stakeholders; purse holders; and any other recipients of a poor experience. Through awareness of these issues, these stakeholders can understand and endorse a need to change.
Human made systems which once met a need and now cannot change to meet our emerging needs become like a tail wagging a dog. Who is in control here? The system? We humans created these systems - we ought to be able to change them. Note: this doesn’t just apply to technology.
In this session, Sean introduces a simple yet effective way to identify and prioritise what to work on, in a way which makes most sense for stakeholders and custodians.
- Given by Sean Moir for Ox:Agile Conference 2019.
Architecting in the Cloud: Choosing the Right Technologies for your SolutionJeff Douglas
This document discusses choosing cloud technologies and contains summaries of Appirio cloud solutions, products and services. It also includes case studies on Informa plc and DeVry University that used Appirio's cloud solutions to build applications on Force.com and Google App Engine. The document discusses using future methods in Apex to run long-running transactions and a "heartbeat" pattern to trigger events from outside of Salesforce.
Top 10 Things Logs Can Do for You, TodaySolarWinds
There's no argument that log data is extremely useful for troubleshooting, but what else can it do for you while it sits there consuming space? We'll give you the Top 10 things to look for in your logs that can help spot trouble before it becomes serious.
The document discusses 6 things about cloud computing:
1. Cloud computing has enabled workloads and data to be served from centralized, shared infrastructure instead of individual desktop systems, improving governance and scalability.
2. Enterprise adoption of cloud computing has progressed through stages from trivializing it to full evangelization as its benefits are realized.
3. The cloud provides an integrated platform for applications, data, and users that can securely connect organizations to partners, customers and employees in new ways.
4. Issues around security and data governance in the cloud have been overcome as cloud infrastructure has proven more secure than traditional internal systems and legal access to data is similar worldwide.
Common Mistakes Salesforce Admins Make - #DF13Jared Miller
Salesforce admins commonly make mistakes around data management including not cleaning data before and after imports, not planning for duplicate records, and having overly permissive field level security. Other common mistakes include having too many custom profiles, not managing change effectively through communication and planning, and not understanding users' needs by failing to ask questions and validate requirements.
Business applications like ERP, CRM, SRM, and others are one of the major topic of information security as these applications store business-critical data and any vulnerability in them can cause a significant monetary and reputational loss or even stoppage of business.
There are several myths about Business Applications Security such as:
Myth 1: Business Applications are available only internally.
Myth 2: ERP security is a vendors' problem.
Myth 3: Business Application internals are very specific and unknown to hackers.
Myth 4 ERP security is all about Segregation Of Duties.
Our findings explode these myths.
In this presentation given at Dreamforce 2013 Mike Gerholdt, Garry Polmateer, and Jared Miller give Salesforce Admins advice on managing their Salesforce instance and common mistakes we have made over the years.
The document discusses security best practices for mobile development. It covers fundamental security principles like vulnerabilities, threats, consequences, and mitigations. It also summarizes key similarities and differences between iOS and Android security models. Both platforms use device management, encryption, application signing and sandboxing. However, iOS has a more locked down approach while Android permissions allow more flexibility but with security tradeoffs. The document advocates defense-in-depth strategies like encryption, jailbreak/root detection, and hiding sensitive data from device snapshots.
Bring your Shmoo Balls, we have some juicy opinions on how the federal government should vet cloud services. After going through the FedRAMP authorization process with multiple companies, we have grey hair, scars, and some things to say.
We’ll go through some systemic problems and flag some of those weird controls that have always bugged us, and then when we’ve finished airing our grievances we’ll dig into the tough stuff: what can possibly change? Should it change? Will r5 ever be fully adopted? Should FedRAMP continue to exist?
Shea Nangle is a Director at a cybersecurity consultancy. He has been involved with FedRAMP (as a consultant and working for cloud service providers) since 2014. In 2023, he was recruited for the position of FedRAMP Director but chose to stay in private industry.
Wendy Knox Everette is a software developer & hacker lawyer who is currently the CISO at a healthcare data analytics firm. She has co-authored a peer reviewed article on FedRAMP in IEEE Security & Privacy, as well as another reviewing other security issues caused by control frameworks in NDSS.
How to achieve security, reliability, and productivity in less timeRogue Wave Software
This introductory session lays the foundation for boosting the effectiveness of mission-critical systems testing by covering industry best practices for code security, software reliability, and team productivity. For each area, you will learn how to mitigate the top issues by seeing real examples and understanding the tools and techniques to overcome them. This includes: The value of different testing methods; The importance of standards compliance; and understanding how DevOps and continuous integration fit in.
Similar to Continuous Delivery for Financial Services from 51zero. (20)
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!SOFTTECHHUB
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
20 Comprehensive Checklist of Designing and Developing a WebsitePixlogix Infotech
Dive into the world of Website Designing and Developing with Pixlogix! Looking to create a stunning online presence? Look no further! Our comprehensive checklist covers everything you need to know to craft a website that stands out. From user-friendly design to seamless functionality, we've got you covered. Don't miss out on this invaluable resource! Check out our checklist now at Pixlogix and start your journey towards a captivating online presence today.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Building RAG with self-deployed Milvus vector database and Snowpark Container...Zilliz
This talk will give hands-on advice on building RAG applications with an open-source Milvus database deployed as a docker container. We will also introduce the integration of Milvus with Snowpark Container Services.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slackshyamraj55
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...Zilliz
Join us to introduce Milvus Lite, a vector database that can run on notebooks and laptops, share the same API with Milvus, and integrate with every popular GenAI framework. This webinar is perfect for developers seeking easy-to-use, well-integrated vector databases for their GenAI apps.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Continuous Delivery for Financial Services from 51zero.
1. Gary Frost – 51zero Ltd1
Financial Services carry too much risk
it’s time to embrace Continuous Delivery
Gary Frost
51zero Ltd
www.51zero.com
linkedin.com/company/51zero
facebook.com/51zero/
@51zeroLtd
2. Gary Frost – 51zero Ltd2
About me
Gary Frost
51zero Ltd
• Managing Director 51zero Ltd
• ~20 years investment banking
IT
• 10 banks
• 4 countries
• Battle scarred Agile
Pragmatist
linkedin.com/company/51zero
facebook.com/51zero/
@51zeroLtd
3. Gary Frost – 51zero Ltd3
Agility
Operations
Security
Defects
Financial Services Carry To Much Software Risk
Accidental or Deliberate code
defects
Performance degradation
System outages
Failed deployments
Information theft, hacking
Time to market
Delivery/change velocity
Development cost
4. Gary Frost – 51zero Ltd4
Development in the late 90’s/Early 2000’s
Highly Agile
Direct engagement with business, high velocity
High Velocity – Risk Risk
Little testing, unlimited access, no change control
Business
Development
Velocity
Risk
Low risk High risk
High
Velocity
Low
Velocity
5. Gary Frost – 51zero Ltd5
A history of some other failures in the 1990’s/2000’s
• 1996 – First National Bank of Chicago - $746 billion
• Software bug
• > $900m into 823 customer accounts
• All funds recovered and systems corrected
• Largest known errors
• 2004 – Millions of customers effected as major US bank suffers software error in
transaction processing - $100m loss
• 2005 – All trading halted in Major Asian exchange due to a software glitch
6. Gary Frost – 51zero Ltd6
Sarbanes-Oxley
IT Operations Control
Comprehensive Audit
Trails
IT Process Controls
SOX Controls from an IT
Perspective
SOX
7. Gary Frost – 51zero Ltd7
Segregation of Duties
Business Person IT Governance
board
Developers Architect / Security /
Others
System Admin /
Ops
Identify
Requirement
Authorize &
Approve
Design /
Code
Review /
Inspect /
Approve
Implement in
Production
Segregation of duties , no person should perform more than one of these roles
8. Gary Frost – 51zero Ltd8
Change
ControlOperations
Information
Classification
SecurityDataArchitecture
Change control reviews prior to deployment
(After the change has been agreed, developed and tested)
• 2 week process
• 6+ for major changes
• Time intensive/Laborious
9. Gary Frost – 51zero Ltd9
The Cost Of This Process
• Increased Staff
• Time in meetings/review
• Architectural inflexibility
• Lower release frequency
• Reduced Agility
• Talent Acquisition/Retention
10. Gary Frost – 51zero Ltd10
Low Velocity – Low Risk?
Velocity
Risk
Low risk High risk
High
Velocity
Low
Velocity
?
11. Gary Frost – 51zero Ltd11
Low Velocity – Low Risk?
Velocity
Risk
Low risk High risk
High
Velocity
Low
Velocity
12. Gary Frost – 51zero Ltd12
Failures since SOX (and other Regulations)
• 2012 – RBS/Natwest/Ulster bank
– Payments disrupted
– > 12 Millions of accounts impacted
– Caused by software update
– Bank fined £54 million by regulators
– 3 similar episodes since 2012
• 2012 – Knight Capital
– New feature deployed to 7 of 8 servers
– Orders Routed to 8th server caused ’test’ price volatility in live market
– $440 million lost in 45 minutes
• 2015 – Barclays payments mobile banking glitch & card payments
• 2015 – HSBC payments failed before bank holiday
13. Gary Frost – 51zero Ltd13
Why are we still failing?
If we’ve put in place all these safety measures, at such cost, then why do we still get so many failures?
14. Gary Frost – 51zero Ltd14
Unmanageable Change Review Process
• Thousands of systems (n)
• Who can understand E2E
• Many releases per system
per year (m)
• = unmanageable change
review requirement (n*m)
16. Gary Frost – 51zero Ltd16
• All code in Modern
VCS
• Pull
Requests/Code
review
• Code quality
checks
• Build on change
• Binary Repository
• Security Testing
• Software / License
Testing
• Performance
Testing
• Integration testing
• Consumer Driven
Contracts Testing
• Infrastructure as
Code
• One click deploy
• Environment
provisioning
• Containerization
• Orchestration /
Operating System
for Datacenter
• Metadata & data
flows
• Generated
Architecture
documents
• Living / Breathing
enterprise view
Adopting Continuous Delivery
Source Code &
Build
Automate
Testing
Automate
Deployment
Living
Architecture
01 02 03 04
17. Gary Frost – 51zero Ltd17
High Maturity Development
Test All The (F*) Time & Automate All The (F*) Things
Build , Provision, Deploy
Across envs
E2E / Integration
Testing
Security / Data
Testing
Performance /
Destructive
Testing
Promotion
18. Gary Frost – 51zero Ltd18
Change Review Teams
Under extreme time pressures to review all changes
Incentivized to manage risks
Default position tends to “Unsafe / Stop”
Development Teams
Under extreme pressure to implement features
Incentivized to delivery quickly
Default position tends to be ”Safe / Go”
The Biggest Blocker
Silos lead to conflicting incentives
19. Gary Frost – 51zero Ltd19
Highly Collaborate Environments
No more Us and Them
Information
Sec:
Let’s write a test for
secret data being
written into the cloud
Security:
Let’s write a test the
simulates a DDOS
Ops:
Let’s write a test that
simulates a rack going
offline
Dev:
Let’s write the system
so it can be tested, and
so that WE can write
the tests
20. Gary Frost – 51zero Ltd20
Look To High Performing Industry Leaders
Spotify, Google, HP, Twitter, Etsy, AirBnB, …
21. Gary Frost – 51zero Ltd21
Move to High Velocity – Low Risk
Velocity
Risk
Low risk High risk
High
Velocity
Low
Velocity
High level of Continuous Delivery Maturity
22. Gary Frost – 51zero Ltd22
Not Trivial
• Not “Cheap and Easy” (we would have already done it)
• Not just about tool choice
• Not about hiring “DevOps” engineers
• Requires process change and organizational change
• There are isolated success stories – find them, study
them, repeat them @ scale
23. Gary Frost – 51zero Ltd23
FinTech Disruption
+
+
+
+
Well Funded
No Legacy
Moving Fast
Innovative ideas
Financial Service
Disruption
FinTech companies are forming at a
rapid pace, they are finding their
place in the market, they are
attracting customers and funding.
FinTech has now become a major
risk to established Financial Service
companies.
24. Gary Frost – 51zero Ltd24
Evolve Or Face Extinction
“It is not necessary to change. Survival is not mandatory. W. Edwards Deming”
The Future of Financial Services IT
25. Gary Frost – 51zero Ltd25
Thank You!!!
Gary Frost
51zero Ltd
www.51zero.com
linkedin.com/company/51zero
facebook.com/51zero/
@51zeroLtd
I probably ran out of time, I ’m passionate about CD/DevOps, Big Data and Financial Services, so catch me after or contact me on the
channels below.
If I didn’t, any questions?
Editor's Notes
At 51zero we develop software, especially big data software, for Financial service organisations and we use Continuous Delivery in our development practices.
Gary Frost is the Managing Director of 51zero and has spent nearly 20 years in software development for Financial services.
This presentation focuses on software risk in Financial services, the risk of defects in the code, the risk of a security vulnerability, of malicious code change, of information theft, of a performance degradation or a wholesale systems outage; the risk of a software change or deployment which can introduce or cause any of these.
When I started in investment banking IT nearly 20 years ago, I was working for a relatively small Investment Bank in Australia, we used to work directly with the business and often we would respond to their requests and make changes to the system within hours, we would make changes in development environments and push them rapidly into production, we would log in and push our development changes ourselves. There was very little in the way of change control. This did allow us to be incredibly responsive and allowed a lot of innovation
However there was little in the way of controllers around developer access to production, we had direct access to production systems and effectively no change control. It was indeed the wild west.
There are many examples of major software failures in Financial Services during the 1990’s/2000’s
Sarbanes-Oxley (commonly called as SOX) came about because of a number of large scale embezzlement cases and accounting fraud cases. It focuses on regulations and accounting practices put in place to avoid accounting scandals. From an IT perspective it requires
Comprehensive Audit trials
IT Controls, especially in key systems such as financial processing, payments, payroll, general ledgers
IT Operations controls, access controls
But SOX also discussed segregation of duties, primarily within business processes, but a number IT Audits found that an unexpectedly high proportion of their Sarbanes-Oxley internal control issues came from IT.
As such it has become commonly accepted to implement separation of duties in large IT organizations so that the same person or organizations performs only one of the following roles:
Identification of a requirement (or change request); e.g. a business person
Authorization and approval; e.g. an IT governance board or manager
Design and development; e.g. a developer
Review, inspection and approval; e.g. another developer or architect.
Implementation in production; typically a software change or system administrator.
The process of getting a change into production, once the change management team have worked with the business and the technology team to design the change and it’s been fully UAT’ed, involves a lot of steps. It’s not uncommon to see a flow like
Architectural review from a central team - standard patterns, authorized software used, system simplification/rationalisation.
Data and database review from data base administration team
Software Security review to look network vulnerabilities, malicious code, clear text passwords, encryption vulnerabilities
Information security review to ensure sensitive data is securely stored, appropriate level of control for the type of information
Operations review - review the support documentation, have training on support, and ensure the release instructions are comprehensive
Change coordination - signoff from all reviewers, upstream/downstream systems owners, schedule change
Then the operations team can deploy the change, working from a run book, often 10+ pages, written in a word document.
It should be obviously that these processes come at as significant cost.
Staff - significant increase in staff for all these change/review bodies
Time - lots of additional documentation, meetings and review
Architectural/Technological inflexibility
Lower release frequency - no one wants to go through this too regularly, so changes stack up
Inevitably leading to a lack of agility
Talent acquisition/retention - because, it’s a competitive market, and those that can work at innovative, lean companies using the best technologies and development methodologies, tend to want to do do
So we have traded speed which caused ticking time bombs, to a slower (sloth like) pace which is safer. These measure must have massively reduced the risk of system issues, right? Wrong!
Wrong! From my research and experience there has only been a marginal reduction in risk, but a very significant increase in velocity.
Looking at some more recent failures.
2012 - “The worst banking meltdown to date hit millions of customers of RBS, NatWest and Ulster Bank, locking them out of their accounts for days, and in the case of Ulster Bank customers, for weeks. The glitch, the result of a software patch, lead the the CA7 batch process scheduler ended with 12 million customer accounts being frozen - The Bank was fined £50 million by regulators but the episode is understood to have cost the bank more than £100 million.”
RBS/Natwest have had at least 3 similar episodes since 2012.
Of of the most destructive recent software failues was Knight capital.
2012, Knight Capital deployed untested software to a production environment which contained an obsolete function. The incident happened due to a technician forgetting to copy the new Retail Liquidity Program (RLP) code to one of the eight SMARS computer servers […] when released into production, Knight's trading activities caused a major disruption in the prices of 148 companies listed at the New York Stock Exchange, thus, for example, shares of Wizzard Software Corporation went from $3.50 to $14.76.
Knight Capital took a pre-tax loss of $440 million”
2015 Barclays has experienced a number of technical glitches, which have caused problems with mobile banking and card payments for some customers. The technical faults saw online and mobile banking services go down for periods throughout Friday afternoon, and some customers had issues withdrawing cash or making payments with their cards
2015: “Thousands of people have been left without their salaries because of an IT glitch at HSBC that means employers who use its business banking accounts cannot make payments. Some 275,000 individual payments failed to go through on Friday leaving potentially hundreds of thousands of people without their pay on the Friday before the bank holiday weekend.”
Well, first let’s take a quick peek at a not atypical system architecture. This diagram that was shown at an event some time ago. It depicts all the individual processing components and their interdependencies in a single mortgage system at a large, full-service retail bank.
But you have to consider, that over the years so many banks have been through mergers and acquisitions, they have had many competing systems, that it’s not uncommon for there to be many instance of such a system. I’ve heard of one bank with 50 different mortgage systems. And this is just mortgages, mix into that all the other activities that banks have, especially some of the complexities in investment banks, and all the risk systems, and you can imagine the scale of the architecture. I once saw an attempt to draw it out, each box was a couple of cm’s big, and it covered an entire wall or a pretty large meeting room.
I know of an organization that is looking to modernize it’s architecture, it current has 8000 systems, being worked on by over 30k technology staff.
With so many systems, so many changes being made, how can any centralized architecture function be reasonably certain of the impact of a change? How can security team understand the end to end flow, no one can, it’s impossible.
But on top of that, with tens of thousands of technology staff actively developing, there thousands of change requests being made each year. I’ve personally witnessed the workload of some of these change review teams, they have a stack of requests in front of them. They can only reasonably spend a short amount of time on each one, they can’t the necessary time to perform detailed review.
The same is true of operations teams, they are often not deeply familiar with the intricacies of the system, and are responsible for many systems. With dozens of systems to support, loads of changes to be implemented, and teams spread thinly, mistakes happen.
So, with so many problems present, despite the efforts to improve quality and risk, how can we improve, how can to we solve these issues? Well, this is where I believe adopting Continuous Delivery can help.
First off we should look to ensure we’re using modern version control such as Git (most places are these days), and implement a pull request based model, to enforce code reviews, this is an incredibly easy win and helps with code quality as well knowledge sharing.
We also need to ensure we have a good build system, and binary artifact repository. We also should have code quality tools in place, checking for code complexity, bad practices, potential bugs etc, but also deviation from defined coding standards.
I could talk more on this, on how for example google with 15k developers, and over 4000 active project, works on a single monolithic source tree, with all developers working on head, with sophisticated pre-tested commits. How it is build and tested (75 million test cases run each day) and all this happens in minutes. But we could take up an entire hour talking just about this.
Instead, assuming most banks are not so sophisticated *yet*, but we already have a baseline of source code control, build infrastructure, unit tests and binary artifacts. Many Financial Service companies are already at this ‘baseline’ .
The when can go on to look at the change process, when we actually stop to analyze much of the activity that goes on through these change review gates, we discover many formulaic process. In the case of the security reviews this is most certainly the case, penetration testing, packet sniffers checking network traffic, encryption checkers, cross site scripting checks, and so on. These are steps that can be automated.
With the Security teams and Development teams working together to automated these processes, time will be freed in both teams, more security checks can be devised and we reach a point of being ‘very sure’ that every single release has no known security vulnerabilities.
In Operations we can see many opportunities where Continuous Delivery can improve. There are some obvious wins as we look at automated/scripted deployments. However beyond that as we look to adopt Infrastructure as Code, we can not only improve the certainly that the environments we deploy to through the dev/sit/uat/prod cycle are consistent, we can reduce or eliminate the risk of fat finger deployment errors.
We are also, very recently, at an incredibly exciting time when we look at contemporary software engineering. Specifically when we look at containers and when we look at infrastructure as code.
If we adopt a service oriented architecture and more specifically build using micro services we are well positioned to reap several benefits.
Firstly these more loosely coupled systems are more testable. We have cleanly defined interfaces, we can certainly more easily perform component, security and performance tests more easily on these services.
But we can also look at consumer driven contracts, especially (but not exclusively) where we are able to build REST endpoints, consumers of a service can define test suites around the expectations of the service, and we can run these tests, we can even look at tools that use these contracts as simulations for a provided services.
Finally, as we look at the container ecosystems, we find some incredibly exciting developments when we look at Mesos, Kubernetes, Docker suite. We are moving towards “Operating systems for the datacenter”. We are moving to a point where our operations team can stop worrying about ‘where’ to run services, but which versions to push out, how many should run, resource allocation etc.
Working with operations we can build out automated deployments, and focus more on logs and metrics gathering, live monitoring, hot spot tuning - auto scaling and all round ‘run time’ improvements, rather than wasting time ‘managing releases’
Likewise as we look at data, we can certainly see some obvious testing that can be applied, for example scanning for CRUD operations vs stored procs, executing queries to ensure indices are being hit, testing performance etc. But again we can move up the maturity chain and look towards defining our data models in metadata repositories, defining data flows between systems.
Collectively, all these steps help greatly when it comes to enterprises architecture. Again automated processes could scan for authorized software usage, but more than that if we focus less on static (and therefore immediately out of date) architecture documents, but rather auto generated documents, we can build a living breathing view of our enterprise, of the services, scale, capacity, performance, version. Of the data and the data flows within it. This is a powerful tool for architecture teams, working to rationalize, simplify, scale, etc.
We can move to a model where we build highly automated production pipelines, the key to this is to
Test All The Time * and
Automate All The * Things
I know of a number of banks that are adopting Continuous Delivery, but much of my experience is that these organizations shows, there are fundamental problems with adoption of these tools and techniques. They are inadvertently just paying lip service, they are hiring “DevOps engineers” to write build scripts, they are looking at virtualization and containerization technology, but they are struggling to affect the deep change in practice and the organizational transformation that is require to truly succeed in Continuous Delivery.
This is not surprise as that is the way these silos are incentivized, it is the job of the development teams to get stuff done as quickly as possible for the business and are often under extreme delivery pressure, their default position is often ‘yes everything is safe and ready, let’s ship it’. It is the job of the change gatekeepers to ensure all risks are managed they are under extreme pressure to ensure no errors occur, and with such limited time their default position is often “no”.
To truly succeed I believe we need deep organizational change and large shifts in the way we think and work. We need to move away from silos and into collaborations. We need to move away from change reviews that are like trials by fire.
Financial Services IT often looks outwards to the broader software industry when looking at tools and technology, it should do similar when looking at processes and practices. Go study how Spotify, Google, Facebook, Amazon, Etsy etc work so effectively from a software delivery perspective.
But also within the industry, there are isolated successes, at 51zero we have certainly had successes in being able to build big data solutions using Continuous Delivery success for a number of our banking clients. So find these isolated successes, study them and replicate them at scale.
By changing the culture, by working highly collaboratively and achieving high levels of CD maturity we can move to High Velocity – Low Risk development
There is one final risk I’d like to talk about, it is a big big risk that’s only just starting to be discussed seriously, the disruption risk. There are many dozens of FinTech companies popping up, they are lean, they do not have these horrific technology legacies, they are attracting top talent and they are moving fast. They are now starting to take money, hand over fist, from established firms. Without the agility that Continuous Delivery can bring the established firms face serious, very serious disruption risk.
So I believe that the existing Financial Services industry has a choice to make, evolve or face extinction.