Do you lock the door when you go shopping?


Come in, make yourself at home, help yourself, I’ll be back later

Well do you? I don’t because I leave the door open for the dog to come and go and they are a more effective deterrent than a door-lock.

So why do we leave the door open in our IT departments every day? And why do we open more doors than we close every day? Introducing software into the production environment always comes with risk.

  • Lowest risk – home grown software written by your team and vetted by your QA
  • Low risk – bespoke software created for you (outsourced/offshored) and vetted by you
  • Negligible risk – software from reputable vendors
  • Acceptable risk – open source software from reputable sources backed by vendors
  • Some risk – software from new vendors and startups
  • Unknown risks – open source software downloaded in an uncontrolled manner
  • Serious exposure – software that installs itself unknown to you

Serious IT departments have sophisticated change and configuration management solutions designed to protect production systems from rogue changes but they seem to have a blind spot when it comes to code whose provenance we cannot guarantee.

More and more of our applications contain open source elements, the infrastructure we use is built on more and more open source tools, even the very IDE we are using is likely to be open source. Open source is a wonderful concept but like so many human endeavors, something designed to further humanity can, and all too often does, turn to the dark side.

Develop a risk score card for your next deployment component by component and see where you stand. No artifact in your code base is free from risk, even code written and tested by your team. As we have learned from VW recently, there are surprises lurking in the heart of our code base that can do the business great harm. As Knight Capital showed us, if it is really easy to release good code it is really easy to release bad code too. As Royal Bank of Canada knows, best practices can save embarrassment, ignore them at your peril.

Deploying code requires end to end vigilance. That means scrutiny as code is created, scrutiny as it is changed, scrutiny as it is tested, scrutiny as it is deploy and scrutiny as it is used. We have to have the infrastructure to be our 24×7 scrutineer, to be our guard dogs.

We cannot leave the door open in the world of tech, we have to lock it, bolt it and guard it.

About Kevin

In the past year Kevin has spoken at 20 conferences and seminars on a range of leading IT topics, including methodologies, business analysis, quality assurance techniques, governance, open source issues, tool interoperability, release management, DevOps, Agile, ITIL, from the mainframe to distributed platforms to the web, mobile, wearable and embedded systems. He is a much sought after speaker, recognized around the world for his provocative and entertaining style. Kevin is a 40 year industry veteran, holder of three technology patents and today is VP of Worldwide Marketing and Chief Evangelist at leading Application Development and Deployment vendor Serena Software. In the past decade he has been crossing the globe and has met with over 4,000 people. At Serena he works closely with industry analysts, the press, customers, partners and employees to exchange ideas about industry direction and business issues. He was born and educated in the UK and lives and works in the Bay Area, California.
This entry was posted in Business and Technology and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s