IT due diligence and software quality for fintech startups
-
Upload
sieuwert-van-otterloo -
Category
Business
-
view
330 -
download
0
description
Transcript of IT due diligence and software quality for fintech startups
SZ
www.softwarezaken.nlwww.startupjuncture.com
SOFTWARE AUDIT AND DUE DILIGENCE FOR STARTUPSInvited talk at Startupbootcamp FinTech, London, October 8th 2014
By Sieuwert van Otterloo
SZ
www.softwarezaken.nlwww.startupjuncture.com
About Sieuwert van Otterloo
Current activities:• IT strategy consultant since 2005 (McKinsey, SIG)• Startup enthusiast since 2010 (investor, journalist,
occasional entrepreneur)• IT-legal expert
SZ
www.softwarezaken.nlwww.startupjuncture.com
Secondly: Share tips and tricks related to quality
and audits
Goals tonight
Most importantly: Helping you gain your customers’ trust through focus on quality
SZ
www.softwarezaken.nlwww.startupjuncture.com
Agenda
1. Banks and
quality
2. Startups
and quality
3. Managing
audits
4. Reaching quality
“Your customers care about your
software”
“You should care”
“Minor tips and tricks”
“Important tips and tricks”
SZ
www.softwarezaken.nlwww.startupjuncture.com
1. Corporates and IT quality
• Enron: went from $ 70 billion to zero in a couple of months
• Biggest accounting scandal in history, second biggest bankruptcy
• Caused a change in regulations: Sarbanes-Oxley
senior executives take individual responsibility for the accuracy and completeness of corporate financial
reports
requires that the company's "principal officers" (typically CEO and CFO) certify and approve the integrity
of their company financial reports
SZ
www.softwarezaken.nlwww.startupjuncture.com
Legacy problems
Then:• Computer systems are not
developed to run forever. • Before 1990, taking 4
digits to store a year seemed a waste of space
Now:• It is incredibly hard to
migrate data out of live systems
• It is incredibly hard to replace old COBOL systems: systems from 1980 are still running in banks!
1956: IBM harddrive
SZ
www.softwarezaken.nlwww.startupjuncture.com
IT failure happens often...
LOS ANGELES (AP) — Flights to and from airports in the Los Angeles area were grounded for more than an hour Wednesday due to a computer failure at an air traffic control facility in the region, the Federal Aviation Administration said. The problems rippled nationwide. […]
The ERAM system is critical to the FAA's plans to transition from a radar-based air traffic control system to satellite-based navigation, but its rollout is years behind schedule and hundreds of millions of dollars over budget.
May 1, 2014 8:51 AM
http://news.yahoo.com/computer-issues-delay-flights-los-angeles-234300027.html
SZ
www.softwarezaken.nlwww.startupjuncture.com
... And is caused by legacy software
ERAM is replacing another computer system that was so old that most of the technicians who understood its unique computer language have retired.
May 1, 2014 8:51 AM
http://news.yahoo.com/computer-issues-delay-flights-los-angeles-234300027.htmlImage: IBM 3070
SZ
www.softwarezaken.nlwww.startupjuncture.com
Another case: Denver airport
The airport's computerized baggage system, which was supposed to reduce delays, shorten waiting times at luggage carousels, and cut airline labor costs, was an unmitigated failure. The airport opening was originally scheduled for October 31, 1993, with a single system for all three concourses. Issues with the baggage system delayed the opening to February 28, 1995, with separate systems for each concourse and varying degrees of automation.The system's $186 million original construction costs grew by $1 million per day during months of modifications and repairs.
SZ
www.softwarezaken.nlwww.startupjuncture.com
Team growth
Selling your
company
Buy another
company
Software maintainability is important for scaling startups
Idea
MVP
Product / market fit
Reduce risk of chaos
Need to pass due diligence
process
Need to sanitize and
integrate
SZ
www.softwarezaken.nlwww.startupjuncture.com
Maintenance cost matters more than development cost for companies
Conservative example: • The system needs 15% maintenance per year • The system grows 10% per year• System lasts 10 years
Result: maintenance costs are 140% higher than development cost
SZ
www.softwarezaken.nlwww.startupjuncture.com
Dealing with audits, assessments and other interference
SZ
www.softwarezaken.nlwww.startupjuncture.com
Assessments are a step towards money
1. A large company wants
to buy your service
2. Someone wants to buy
your company
Product focus Company focus
SZ
www.softwarezaken.nlwww.startupjuncture.com
... Or a clear signal of trouble
• Project termination
• Crisis management
• blame assignment
SZ
www.softwarezaken.nlwww.startupjuncture.com
A good assessment process includes context
System context and
business strategy
Risks
Quality
Economics
Is the input for determining … Are the basis
for…
Conclusions
Code Review and factfinding
Recommen-dations
SZ
www.softwarezaken.nlwww.startupjuncture.com
How not to deal with an assessment
Develop a system as fast as possible at minimal cost OK, here it is
Can you audit the system?
What quality standards did you demand?
What quality standards did you use?
None, we focused on cost and speed
We asked nothing special, but we expect a fit for use system conforming to industry best practices
Client SupplierAssessor
Let’s report a lot of findings to show that we worked really hard
SZ
www.softwarezaken.nlwww.startupjuncture.com
A better way to deal with assessments
Develop a system as fast as possible at minimal cost Here is our own standard, is that good
enough for you?
What quality standards did you use?
We agreed on this standard. We checked to code and it complies. Let us know if
you find any issues
We worked really hard and have these findings
Well done! We do not see major risks, but if needed we have a quality process
and can fix these in the next release.
The quality is what has been agreed, and will be even better in the next release
Client SupplierAssessor
SZ
www.softwarezaken.nlwww.startupjuncture.com
How to deal with due diligence
1. You cannot determine the outcome directly but you can influence the process: you can set conditions before you provide your data.
2. Keep it short by starting late: Do not start the assessment before the other deal details are sorted out
3. Ensure the goal is limited: For instance to determine whether the software has issues that cannot be fixed and cause major risks
4. Ensure involvement: Auditors should listen to your side, share and discuss findings before reporting any issues.
SZ
www.softwarezaken.nlwww.startupjuncture.com
How to reach quality?
... perfection is finally attained not when there is no longer anything to add, but when there is no longer anything to take away ...
SZ
www.softwarezaken.nlwww.startupjuncture.com
ISO 25010 is the official standard for software quality
ISO 25010: Software product quality
Functional suitability
Reliability
Performance / efficiency
Operability
Security
Compatibility
Maintainability
Portability
Visible Invisible
SZ
www.softwarezaken.nlwww.startupjuncture.com
Official standards for security
• ISO 27001 : formal, heavy framework
• SANS: open initiative with good list of controls
• OWASP: open initiative with a good top 10
SZ
www.softwarezaken.nlwww.startupjuncture.com
Step 1: joint ownership and responsibility
• Everyone in the team should feel comfortable explaining each line of code
• All founders should be interested in the code on which the company runs
SZ
www.softwarezaken.nlwww.startupjuncture.com
Step 2: quality process
• Know and use agile, scrum and SAFe• Build a working system at least every two weeks• Agree on code quality standards
Structure
Tools
Mindset
• Create a fully automated daily build process• Use automated tools (checkstyle, FxCop, Simian, PMD,
Sonar)
• Monitor issues daily • Address root causes of issues in retrospectives:
• Training needs for new and current developers• Important refactoring actions• Adjustments to quality standards
SZ
www.softwarezaken.nlwww.startupjuncture.com
Measure – measure – measure: volume
Very small Nice and small
Hard to handle
Impossible
< 10.000 lines of code
< 100.000 lines of code
Less than 500.000 lines of code
>500.000 lines of code
SZ
www.softwarezaken.nlwww.startupjuncture.com
Putting volume into perspective
SZ
www.softwarezaken.nlwww.startupjuncture.com
Measure, measure, measure – actual technologies used
Java
Simple stack
Java
Complicated stack
JavascriptShell C
‘Legacy’ stack
XML
PL/SQL
php perl
Java XSLT
x86
Java system 1 Java system 2 Java system 3
SZ
www.softwarezaken.nlwww.startupjuncture.com
Measure, measure, measure: Duplication
Found 185 duplicate lines in the following files:
Between lines 29 and 235 in /java/jabref-2.9.2/src/java/net/sf/jabref/export/layout/format/FormatChars.java
Between lines 31 and 239 in /java/jabref-2.9.2/src/java/net/sf/jabref/oo/OOPreFormatter.java
Found 194 duplicate lines in the following files:
Between lines 130 and 397 in /java/jose-144-source/java/de/jose/util/Metaphone2.java
Between lines 129 and 396 in /java/jose-144-source/java/de/jose/util/Metaphone.java
SZ
www.softwarezaken.nlwww.startupjuncture.com
Measure, measure, measure: Complexity
Source: SweetHome 3D, fileOBJWriter.java
Best: less than 7 decision points per method (128 paths)
Mediocre: less than 10 (1024 paths)
This code: 36 decision points
( 68,719,476,736 paths)
public boolean equals(Object obj) { if (obj instanceof ComparableAppearance) { Appearance appearance2 = ((ComparableAppearance)obj).appearance;…….. if (!color1.equals(color2)) { return false; } else if (material1.getShininess() != material2.getShininess()) { return false; } else if (material1.getClass() != material2.getClass()) { return false; } else if (material1.getClass() == OBJMaterial.class) { OBJMaterial objMaterial1 = (OBJMaterial)material1; OBJMaterial objMaterial2 = (OBJMaterial)material2; if (objMaterial1.isOpticalDensitySet() ^ objMaterial2.isOpticalDensitySet()) { return false; } else if (objMaterial1.isOpticalDensitySet() && objMaterial2.isOpticalDensitySet() && objMaterial1.getOpticalDensity() != objMaterial2.getOpticalDensity()) { return false; } else if (objMaterial1.isIlluminationModelSet() ^ objMaterial2.isIlluminationModelSet()) { return false; } else if (objMaterial1.isIlluminationModelSet() && objMaterial2.isIlluminationModelSet() && objMaterial1.getIlluminationModel() != objMaterial2.getIlluminationModel()) { return false; } else if (objMaterial1.isSharpnessSet() ^ objMaterial2.isSharpnessSet()) { return false; } else if (objMaterial1.isSharpnessSet() && objMaterial2.isSharpnessSet() && objMaterial1.getSharpness() != objMaterial2.getSharpness()) { return false; } } } } } }
SZ
www.softwarezaken.nlwww.startupjuncture.com
Other important aspects
• Missing exception handling• TODO comments• Long ‘do-it-all’ files• Memory actions and leaks• Safe use of user strings• Complex queries• Code copyrighted by others• Queries as strings• URL manipulation• Input validation
SZ
www.softwarezaken.nlwww.startupjuncture.com
Conclusions
Software quality is important for any growing or grown company
Once people care, you can achieve quality
By managing the process, you can pass audits and gain your customers’ trust
SZ
www.softwarezaken.nlwww.startupjuncture.com
Thank you!
IT strategy
maintainable software
Starting with agile / scrum
Lean startup
Secure software
development
Call or mail me:[email protected] +31 6 1050 9674
Lean startup for corporates
Startup search & selection
IT contractsIT
management for non-IT