IT due diligence and software quality for fintech startups

SZ

www.softwarezaken.nlwww.startupjuncture.com

SOFTWARE AUDIT AND DUE DILIGENCE FOR STARTUPSInvited talk at Startupbootcamp FinTech, London, October 8th 2014

By Sieuwert van Otterloo

SZ


About Sieuwert van Otterloo

Current activities:• IT strategy consultant since 2005 (McKinsey, SIG)• Startup enthusiast since 2010 (investor, journalist,

occasional entrepreneur)• IT-legal expert

SZ


Secondly: Share tips and tricks related to quality

and audits

Goals tonight

Most importantly: Helping you gain your customers’ trust through focus on quality

SZ


Agenda

1. Banks and

quality

2. Startups

and quality

3. Managing

audits

4. Reaching quality

“Your customers care about your

software”

“You should care”

“Minor tips and tricks”

“Important tips and tricks”

SZ


1. Corporates and IT quality

• Enron: went from $ 70 billion to zero in a couple of months

• Biggest accounting scandal in history, second biggest bankruptcy

• Caused a change in regulations: Sarbanes-Oxley

senior executives take individual responsibility for the accuracy and completeness of corporate financial

reports

requires that the company's "principal officers" (typically CEO and CFO) certify and approve the integrity

of their company financial reports

SZ


Legacy problems

Then:• Computer systems are not

developed to run forever. • Before 1990, taking 4

digits to store a year seemed a waste of space

Now:• It is incredibly hard to

migrate data out of live systems

• It is incredibly hard to replace old COBOL systems: systems from 1980 are still running in banks!

1956: IBM harddrive

SZ


IT failure happens often...

LOS ANGELES (AP) — Flights to and from airports in the Los Angeles area were grounded for more than an hour Wednesday due to a computer failure at an air traffic control facility in the region, the Federal Aviation Administration said. The problems rippled nationwide. […]

The ERAM system is critical to the FAA's plans to transition from a radar-based air traffic control system to satellite-based navigation, but its rollout is years behind schedule and hundreds of millions of dollars over budget.

May 1, 2014 8:51 AM

http://news.yahoo.com/computer-issues-delay-flights-los-angeles-234300027.html

SZ


... And is caused by legacy software

ERAM is replacing another computer system that was so old that most of the technicians who understood its unique computer language have retired.

May 1, 2014 8:51 AM

http://news.yahoo.com/computer-issues-delay-flights-los-angeles-234300027.htmlImage: IBM 3070



SZ


Another case: Denver airport

The airport's computerized baggage system, which was supposed to reduce delays, shorten waiting times at luggage carousels, and cut airline labor costs, was an unmitigated failure. The airport opening was originally scheduled for October 31, 1993, with a single system for all three concourses. Issues with the baggage system delayed the opening to February 28, 1995, with separate systems for each concourse and varying degrees of automation.The system's $186 million original construction costs grew by $1 million per day during months of modifications and repairs.

SZ


Team growth

Selling your

company

Buy another

company

Software maintainability is important for scaling startups

Idea

MVP

Product / market fit

Reduce risk of chaos

Need to pass due diligence

process

Need to sanitize and

integrate

SZ


Maintenance cost matters more than development cost for companies

Conservative example: • The system needs 15% maintenance per year • The system grows 10% per year• System lasts 10 years

Result: maintenance costs are 140% higher than development cost

SZ


Dealing with audits, assessments and other interference

SZ


Assessments are a step towards money

1. A large company wants

to buy your service

2. Someone wants to buy

your company

Product focus Company focus

SZ


... Or a clear signal of trouble

• Project termination

• Crisis management

• blame assignment

SZ


A good assessment process includes context

System context and

business strategy

Risks

Quality

Economics

Is the input for determining … Are the basis

for…

Conclusions

Code Review and factfinding

Recommen-dations

SZ


How not to deal with an assessment

Develop a system as fast as possible at minimal cost OK, here it is

Can you audit the system?

What quality standards did you demand?

What quality standards did you use?

None, we focused on cost and speed

We asked nothing special, but we expect a fit for use system conforming to industry best practices

Client SupplierAssessor

Let’s report a lot of findings to show that we worked really hard

SZ


A better way to deal with assessments

Develop a system as fast as possible at minimal cost Here is our own standard, is that good

enough for you?

What quality standards did you use?

We agreed on this standard. We checked to code and it complies. Let us know if

you find any issues

We worked really hard and have these findings

Well done! We do not see major risks, but if needed we have a quality process

and can fix these in the next release.

The quality is what has been agreed, and will be even better in the next release

Client SupplierAssessor

SZ


How to deal with due diligence

1. You cannot determine the outcome directly but you can influence the process: you can set conditions before you provide your data.

2. Keep it short by starting late: Do not start the assessment before the other deal details are sorted out

3. Ensure the goal is limited: For instance to determine whether the software has issues that cannot be fixed and cause major risks

4. Ensure involvement: Auditors should listen to your side, share and discuss findings before reporting any issues.

SZ


How to reach quality?

... perfection is finally attained not when there is no longer anything to add, but when there is no longer anything to take away ...

SZ


ISO 25010 is the official standard for software quality

ISO 25010: Software product quality

Functional suitability

Reliability

Performance / efficiency

Operability

Security

Compatibility

Maintainability

Portability

Visible Invisible

SZ


Official standards for security

• ISO 27001 : formal, heavy framework

• SANS: open initiative with good list of controls

• OWASP: open initiative with a good top 10

SZ


Step 1: joint ownership and responsibility

• Everyone in the team should feel comfortable explaining each line of code

• All founders should be interested in the code on which the company runs

SZ


Step 2: quality process

• Know and use agile, scrum and SAFe• Build a working system at least every two weeks• Agree on code quality standards

Structure

Tools

Mindset

• Create a fully automated daily build process• Use automated tools (checkstyle, FxCop, Simian, PMD,

Sonar)

• Monitor issues daily • Address root causes of issues in retrospectives:

• Training needs for new and current developers• Important refactoring actions• Adjustments to quality standards

SZ


Measure – measure – measure: volume

Very small Nice and small

Hard to handle

Impossible

< 10.000 lines of code

< 100.000 lines of code

Less than 500.000 lines of code

>500.000 lines of code

SZ


Putting volume into perspective

SZ


Measure, measure, measure – actual technologies used

Java

Simple stack

Java

Complicated stack

JavascriptShell C

‘Legacy’ stack

XML

PL/SQL

php perl

Java XSLT

x86

Java system 1 Java system 2 Java system 3

SZ


Measure, measure, measure: Duplication

Found 185 duplicate lines in the following files:

Between lines 29 and 235 in /java/jabref-2.9.2/src/java/net/sf/jabref/export/layout/format/FormatChars.java

Between lines 31 and 239 in /java/jabref-2.9.2/src/java/net/sf/jabref/oo/OOPreFormatter.java

Found 194 duplicate lines in the following files:

Between lines 130 and 397 in /java/jose-144-source/java/de/jose/util/Metaphone2.java

Between lines 129 and 396 in /java/jose-144-source/java/de/jose/util/Metaphone.java

SZ


Measure, measure, measure: Complexity

Source: SweetHome 3D, fileOBJWriter.java

Best: less than 7 decision points per method (128 paths)

Mediocre: less than 10 (1024 paths)

This code: 36 decision points

( 68,719,476,736 paths)

public boolean equals(Object obj) { if (obj instanceof ComparableAppearance) { Appearance appearance2 = ((ComparableAppearance)obj).appearance;…….. if (!color1.equals(color2)) { return false; } else if (material1.getShininess() != material2.getShininess()) { return false; } else if (material1.getClass() != material2.getClass()) { return false; } else if (material1.getClass() == OBJMaterial.class) { OBJMaterial objMaterial1 = (OBJMaterial)material1; OBJMaterial objMaterial2 = (OBJMaterial)material2; if (objMaterial1.isOpticalDensitySet() ^ objMaterial2.isOpticalDensitySet()) { return false; } else if (objMaterial1.isOpticalDensitySet() && objMaterial2.isOpticalDensitySet() && objMaterial1.getOpticalDensity() != objMaterial2.getOpticalDensity()) { return false; } else if (objMaterial1.isIlluminationModelSet() ^ objMaterial2.isIlluminationModelSet()) { return false; } else if (objMaterial1.isIlluminationModelSet() && objMaterial2.isIlluminationModelSet() && objMaterial1.getIlluminationModel() != objMaterial2.getIlluminationModel()) { return false; } else if (objMaterial1.isSharpnessSet() ^ objMaterial2.isSharpnessSet()) { return false; } else if (objMaterial1.isSharpnessSet() && objMaterial2.isSharpnessSet() && objMaterial1.getSharpness() != objMaterial2.getSharpness()) { return false; } } } } } }

SZ


Other important aspects

• Missing exception handling• TODO comments• Long ‘do-it-all’ files• Memory actions and leaks• Safe use of user strings• Complex queries• Code copyrighted by others• Queries as strings• URL manipulation• Input validation

SZ


Conclusions

Software quality is important for any growing or grown company

Once people care, you can achieve quality

By managing the process, you can pass audits and gain your customers’ trust

SZ


Thank you!

IT strategy

maintainable software

Starting with agile / scrum

Lean startup

Secure software

development

Call or mail me:[email protected] +31 6 1050 9674

Lean startup for corporates

Startup search & selection

IT contractsIT

management for non-IT

IT due diligence and software quality for fintech startups

Business

Transcript of IT due diligence and software quality for fintech startups