Čitali ste The Phoenix Project? Fantastična knjiga o DevOps i Agile kulturi i metodologiji. Stručna literatura pisana u obliku romana. Čita se pitko a opet dovoljno stručna. Nastavlja se romanom The Unicorn Project koja je orijentirana više prema razvojnim timovima. I zadnja u nizu je ova knjiga – Investments Unlimited.
Tematika knjige je financijska organizacija, Investments Unlimited – IUI, koja se nakon uspješne digitalne transformacije i agilizacije našla u nezavidnoj situaciji – u izvanrednoj reviziji nakon što nisu uspjeli dokazati regulatoru da vladaju rizikom agilnog načina rada. U okruženju koje omogućava rapidan razvoj i česte isporuke u produkcijska okruženja teško je udovoljiti svim regulatornim zahtjevima a ujedno održati velocity isporuka.
I dok dio organizacija već je usvojio DevSecOps model, rijetke organizacije razmišljaju o Governance, Risk, Audit i Compliance problematici u startu novog produkta ili u prvim koracima build pipelinea. Shift-Left on Governance, Risk and Compliance. Kroz knjigu, autori pokušavaju prikazati kako postići taj kulturološki pomak u funkcioniranju organizacije promjenom procesa i primjenom automatizacija.
Napraviti sažetak za roman je vrlo teško. Nadam se da ću vas motivirati da pročitate cijelu knjigu. Isplati se i ne zahtijeva duboku koncentraciju. Ipak je roman :)
“IT Governance is hard”
“This book tells the story of Investments Unlimited, Inc., a fictional company in the financial sector”
“The goal of this book is to help enterprises radically rethink governance and how software is build inside the enterprise”
“Controls are very sterile, but promises – well, no one wants to break a promise”
“Everyone agreed unequivocally that segregation of duties is a joke. It doesn’t work”
“We assume that just because the code deployer belongs to another role, there will be no risk, or less risk”
“Now, if we take away elevated production access from every developer and ensure that every code change is peer reviewed before production deployment, we will have the best way to mitigate that risk [deploy production without control] that you mention Jada. The key is enforcing the peer review process”
“Diffusion of responsibility reefers to a situation where as number of bystanders increases, the personal responsibility that an individual bystander feels decreases”
“That’s why our software engineering process failed us: we only considered Development and Operations, Dev and Ops, not Security, Compliance, or Risk. This was our big failing”
“First guiding policy: if the rest of these policies are abided by, than you can bypass the IUI manual change approval process and go straight to production”
“Second guiding policy: complete automation must be implemented for capturing evidence of quality, risk mitigation, and compliance for software and it’s delivery process. The only manual process is peer review, which is a must when software is being designed and developed”
“Third guiding policy: security and compliance requirements are as important as functional requirements, and hence all software product teams must involve Security, Risk, Compliance and Audit teams to identify those requirements from day one”
“Fourth guiding policy: the software budget. A budgeting system, similar to a financial budget, will be established to track our deficit in quality, risk, compliance and audit. When a budget has been exhausted, the team cannot work any new features and must pay down the debt completely. This budget will be available for anyone in the company to see at any time”
Dodatne poveznice
Goodreads: Investments Unlimited
Amazon: Investments Unlimited
Blackwells: Investments Unlimited
Video materijali
Preuzimanje sažetka
PDF: Investments Unlimited – PDF
Uprvo ju završio 🙂 Odlična knjiga, hvala na preporuci!!! 😀
Drago mi je. Uvijek. I… zapratite me za više savjeta :D :D :D