“It was once said that software is eating the world. Now software is so engrained in everyday business practices, it’s nearly impossible to keep track of all the software under one roof. This lack of knowledge about business-critical software is what leads to service outages, loss of data integrity and hackers gaining back-door access to customer information,” Vishal Bhatnagar, Country Managing Director, UK and Ireland, at CAST, told QA Financial. It’s for this reason that “enterprises must become more intelligent about their digital estates,” he added. For over 25 years, CAST, the New York-based provider of software intelligence solutions, has assisted organisations in ‘making the invisible visible’, or in other words, bringing transparency and objectivity to software that runs business operations. Making it easy to identify software risks, CAST analyses applications based on standards from OMG, CISQ, OWASP and others. Because software is now ubiquitous, it has become the essential cornerstone to IT modernisation and digital transformation goals, explained Bhatnagar. “Trends like automation, machine learning and AI are driving change, and it’s important that businesses know exactly where vulnerabilities lie within their digital assets before they release potentially harmful software updates.”
Smart transition
With other major drivers like the new European General Data Protection Regulation (GDPR) coming into force in May 2018, and fintech disrupters bringing functionality a lot quicker by leveraging new technology, banks are having to become a whole lot slicker to cater to new regulations and customer requirements. “Bring into the picture the multitude of legacy systems they have to contend with, and this is a difficult job,” said Bhatnagar. “For this reason, banks need to become more intelligent around the software they have in order to be able to deliver new functionality to their customers faster. And doing this in a manner that is secure, robust and resilient, as well as cost effective.” US mortgage lender Fannie Mae recently reported savings of around $200 million as a result of switching to DevOps and Agile, a process they completed with the help of CAST. However, successful change comes from more than just modernising how development and operations teams work together. It comes from “shifting-left” the structural analysis of software, that is to say identifying potentially damaging risks a lot sooner in the dev process, explained Bhatnagar. “Teams need to check that overall quality and risk in the IT estate is not being compromised just because checks are being automated and functionality is being put out a whole lot sooner – problems will come up further down the line. This is what Fannie Mae was able to do with CAST – incorporating software intelligence from the very beginning in order to ensure that quality, secure software is delivered faster.” Fannie Mae added CAST, both as a structural quality gate in the DevOps process, and as a continuous monitoring tool for quality, security and performance issues. A major challenge for Fannie Mae was to understand across its teams – IT transformation, vendor management, internal development and operations – which practices were delivering value to the organisation as a whole. To isolate innovative practices that were adding value, Fannie Mae needed to improve the visibility into its complex, multi-source development environment. Fannie Mae defined its success by improving speed of delivery (cycle time and velocity) and developer productivity. Speed of development has enabled Fannie Mae to move from 300 builds per month to 4,000 builds, and from 12,000 to 15,000 deployments per month. They now have on average two-month release cycles versus their previous 18-month release cycles and are better able to meet the needs of the business.
Taking control
More and more firms within the BFIS sector are beginning to wake up and recognise the benefits of bringing development in-house. “In-house development is a trend that we are seeing in the sector, particularly when it comes to development of core IT applications. For some, it’s about intellectual property, for others it’s about keeping up with the pace of emerging technologies and agile working. There are multiple drivers,” Bhatnagar explained. But this doesn’t mean that the role of vendor governance gets diminished, he added. “When it comes to third-party vendors, banks are realising that it’s not just about meeting SLAs from an operational standpoint, it’s making sure that the structural quality and the technical assets are looked after so to speak.” Vishal Bhatnagar will be joining the vendor risk management panel at the 2018 QA Financial Forum London on February 21st. For more information and to reserve your delegate place, click here.
