At JP Morgan (major US bank) the most brutal ticketing system (ITSM) required approval from 6 people in average. Could take a whole week easily just to get in touch with each of them and beg for a change to be approved. Thankfully there are very few systems that require this kind of ticket for access. (and there is a bug in the ticketing system anyway so could get a valid ticket in 15 minutes when truly needed twice a year).
The direct effect is that all systems relying on that for access control are abandoned and rotting because it's impossible to do preventative maintenance.
Well, I suppose JP Morgan probably saw Knight Capital Group's mistake.
I worked at a place that had seasonal "no deploy" policies and had some software that controlled very expensive equipment. It was amazing the number of processes needed to update certain things.
It is a true balancing act. I do wonder if any actual courses exist that talk to business people about software life cycle, what is needed for a live system, and how to judge such things?
My reading is that Knight had a manual, high-touch release process. Itβs hard to imagine enough bureaucracy to make that safe. Companies with proper CI/CD may deploy with what seems like reckless abandon, yet are essentially immune to the particular mistake of accidentally forgetting a server.
The part of the investment bank that deals in trading system is fully CI/CD. Developers deploy 10 000 times a week (measured during the coronavirus change freeze so probably below usual).
I guess I should be the one writing about software life cycle? Do you have any particular questions in mind? That will give me a starting point for a next blog article.
At JP Morgan (major US bank) the most brutal ticketing system (ITSM) required approval from 6 people in average. Could take a whole week easily just to get in touch with each of them and beg for a change to be approved. Thankfully there are very few systems that require this kind of ticket for access. (and there is a bug in the ticketing system anyway so could get a valid ticket in 15 minutes when truly needed twice a year).
The direct effect is that all systems relying on that for access control are abandoned and rotting because it's impossible to do preventative maintenance.