Non-technological "Sbertech": There will be no promised breakthroughs? Sberbank reported on the results of the development of a unified front-end system The platform is the basis for building an ecosystem.
Sberbank is successfully implementing strategic initiatives aimed at building a technology platform and transforming into a technology company by the end of 2018.
Strategic program "Reliability 99.99"
Sberbank has done a lot of work to ensure high reliability their systems. Among the important milestones of this work is the organization of geo-reservation of the services of the Sberbank contact center; creation of the core of a new highly reliable local area network; the work of customer services when performing transactions in online stores, transfers, issuing loans, servicing through remote channels in the Stand-In mode 24 × 7 during the period of incidents and technological work. Downtime of critical automated systems Data centers "South Port" do not exceed 1.6 hours per year. This data center is certified under the Tier Certification Operational Sustainability program, Uptime Institute, GOLD level.
Highly critical services for transporting data between automated systems of Sberbank have been switched to a 99.999% operating mode, that is, the downtime of the system is no more than 5 minutes per year. This ensures the continuity of the provision of basic services to private and corporate clients.
The Sberbank Online system has a pilot block for employees, where new versions of Sberbank Online are tested before large-scale replication, which minimizes risks and reduces implementation time.
IT Organization Transformation Program
Sberbank introduced an end-to-end production process and resource planning, which increased control over the launch and implementation of projects, and reduced the average duration of projects from 30 to 18 months. The new process for the implementation of non-project tasks made it possible to reduce the period of their implementation by 1.9 times. Satisfaction of internal customers has grown, which in the field of implementation of the IT component of projects increased by 3.8 times, in the field of implementation of non-project tasks - by 3 times. Sberbank has completed the transformation of its IT organization. A platform for technological transformation has been created.
Technological Transformation Program
Agile transformation has begun at Sberbank, which consists in the transition to the agile development method, called Sbergile. Sbergile teams are provided with basic automation, a process for iterative development of services has been developed.
Sberbank has created a unified process for managing operational and IT production, incidents, and technology standards.
The headcount of the client operations support function was reduced by 13%. The regional centers for supporting client operations in Khabarovsk and Voronezh were transformed. Support for IT operations is provided in all time zones.
Business Development Support Platform (18+) program
The platform is designed to become a universal constructor for creating business applications.
The performance and scalability of the In-Memory Data Grid architecture has been practically confirmed, in particular, a high performance of 35 thousand transactions per second has been achieved. A single information space has been created, where data on 100 million customers have been successfully uploaded. The mechanisms of audit, authorization, access to data and their batch processing have been developed. The most important services for business have been introduced: a unified profile of the Retail Block client, a unified catalog of products and tariffs in terms of deposits and bank cards, dynamic pricing. The first food factories were launched: P2P transfers, merchant acquiring, deposits.
The Program team received the status of developers of the Apache Software Foundation open-source community. Projects of the Program got the opportunity to develop open-source components of the technology stack of platforms.
Program "Unified Frontal System"
The goal of the Program is to create a single standard in all customer service channels.
The main emphasis of the Program in 2016 was placed on the growth of active sales to private clients through the contact center, increasing the loyalty of corporate clients through the service of remote account reservation without a visit to the Sberbank office, and reducing the cost of external services. contact centers corporate clients.
On the technical side, a unified library of interface components of basic system services was created for this purpose, which are used to create the user interface. Using the library allows you to increase the speed of developing screen forms by 30-35% and reduce the cost of their development by 15-20%. A number of open-source components have been developed, which are presented for reuse in free access to the Internet community. A pipeline for automatic assembly of applications has been introduced, and a technology for automatically deploying the system to all environments is being piloted. The use of DevOps technology will lead to a significant reduction in time-to-market and will allow you to bring products to market many times faster.
Functionality of remote opening of accounts, salary projects, corporate cards moved to the new digital corporate platform. This is the first step towards the transition to the Unified Frontal System.
A mobile workplace for a direct sales agent has been created, which will allow scheduling meetings and optimizing travel routes, taking into account the geographic location of customers.
The program is fully implemented according to the Agile method. It takes eight weeks from idea to discovery. More than 90 Agile teams work under the Program. In 2016, we managed to form the best team of IT specialists and business experts. The team includes more than 1,000 employees from Sberbank's business units and 17 Sberbank Technologies competence centers. To attract the best specialists Sberbank held an open day and an international design hackathon.
Data Factory program
The goal of the Program is to provide the Group with the conditions to achieve a competitive speed of launching new products to the market, monetize data, increase the speed of managerial decision-making, and reduce the cost of data ownership. The program combined activities to create data services and develop infrastructure, taking into account current trends in building corporate data warehouses and analytical platforms.
Key projects of the Program:
- client profile "4D" - increases the completeness of information and the depth of the history of a corporate client;
- "Mass personalization" - increases the efficiency of the retail business processes of the same name due to quick receipt reliable information about customers based on data;
- "Boutique Conveyor" - increases income from CIB customers by reducing the time and improving the efficiency of decision-making in terms of customer information;
- the Geomarketing 2.0 project provides Sberbank's external clients with information about the economic potential of individual geographic locations.
As part of the Program, the performance of the analytical data warehouse has been increased. A new critical element of the architecture has been created - the data cloud - this is a distributed data storage for further processing, where the first data is loaded largest systems Sberbank - Unified corporate system and Unified loan portfolio. Launched data experimentation and model hypothesis testing for business users. Sberbank managed to reduce the time of one-time data delivery at the request of Sberbank divisions to 10 days (previously, the period was more than four months).
Program "Centralization 3.0"
The goal of the Program is to complete the centralization of the landscape by significantly increasing economic efficiency IT assets. In 2016, within the framework of the Program, 682 non-target automated systems (with a plan of 410) and two data centers were decommissioned. In 2017, it is planned to decommission an additional 270 non-target systems and seven data centers and replace IT equipment.
This subsidiary of the bank, as usual, began to implement all the IT projects of the bank and planned to go to work for open market. But everything went wrong. Information Technology Foundation" the largest bank Eastern Europe" needs a complete restructuring. Established in 2011, the company has not lived up to expectations in 7 years.
You can, of course, try to argue with numbers. To say that it is now the largest IT employer in the country. More than 10 thousand programmers! We can say that revenue has grown over the past year. But this is clear evidence that the bank began to spend even more on IT without improving the quality of services.
She left the company in June last year. CEO Alisa Melnikova. But this did not help the company much. Over the entire existence of a subsidiary and extremely important company for Sberbank, so many problems have accumulated that they all together are already starting to drown the parent company.
1. Too many people
This reason is the result of a mixture of Soviet-era megalomania and the desire of certain top managers to have budgets and power. But another reason is that the right hand does not understand what the left is doing. Remember Gref's chic statement about programmers?
"Programmers are not needed today. We have a huge number of programmers with whom we are fighting," German Oskarovich said.
Half of the ministries and most of the companies on the market are screaming and chasing the overvalued "builders" that are extremely necessary for the digital economy, which the programmers should be, and Gref decided to fight with them. Who will shape the future? Why do companies need so many people? The same VTB or Alfa with Tinkov spend much less human resources on the implementation of exactly the same or even better characteristics. At the same time, people are lured away from the market with double salaries and promises that they will definitely change the world here. But in fact, it turns out a completely different story. According to the papers, it takes 200 programmers and several months of hard work to put a button in CRM.
2. No breakthroughs
EFS, PPRB and FD. The company is proud of this and publishes it openly on its website. Let's look at specific example. UFS - Unified Frontal System. What it is?
The Unified Frontal System is aimed at increasing the level of comfort for Sberbank clients when receiving services, as well as at the convenience, speed and efficiency of the employees of branches that provide customer service. EFS is based on cross-channel. Wherever the user comes from - through an application, a browser on a home computer, through a call to a call center or office - he can continue servicing through any channel from the moment where the last interaction in any of the channels ended - the system must recognize the client profile . In addition, the UFS, due to its own API, allows partners to enter the system, as well as integrate with third-party sites.
But today a bunch of services can do this! What prevented you from finishing Bitrix24 or a huge number of other systems in order to implement what is written above? It's not some kind of space. This is reality. Well, yes, Sberbank is large. But not the only one in the world. It would be possible to peep at others to do it right. Exactly the same with other projects. For a breakthrough, completely lean nonsense is issued. And some of this "nonsense" has not even been created yet, but exists only on paper.
3. Banally boring
One of the reasons why "holy agile and scrum" don't work is that they are implemented by specific people. At Sbertech, on condition of anonymity, several colleagues from the company confirmed that sometimes they simply do not understand what they are doing and how it will change the world. All these 10,000 programmers are not needed by the bank in such numbers. Here they are idle. With our money.
4. Imposing extremely strange functions on the company
Here is a scandal with an analyst from Sberbank CIB. Dispersed the entire structure. And now Gref has announced his intention to replace analysts with "artificial intelligence."
Well, nonsense! But many listen with an open mouth. And they are waiting for Sbertech to do everything now. So many programmers! But just as 9 women will not make a child in a month, so here - well, you won’t be able to replace analysts with a computer or a neural network this year. And now imagine what these strategic risks are for the parent company.
5. Constant failures in the work of the parent company
What can we say, even if at SPIEF a whole cloud of insiders loudly announced massive failures in the work of Sberbank on the forum. What a shame. The company, by the way, did not confirm this, but did not deny it either, which indirectly proves the correctness of the rumors. But regular failures, blocking of accounts for the transfer of 666 rubles and similar stories are another evidence of the impotence of managers. Yes, it was difficult, yes, there was an ordinary savings bank. But no one spared you money and time for transformation. The hopes were that you would be the best in the world. In the meantime, it turns out that you did not justify our hopes at all.
Sberbank is creating a new flexible platform that will transform the bank into a technology company. The bank plans to open access to elements of its platform through the API, as well as partially publish the code of its developments, Sergey Ryabov, Senior Managing Director, Chief IT Architect of Sberbank, said at the FinCore 2017 forum. FutureBanking quotes from this speech.
Charles Darwin's saying is that it is not the strongest species that survives, nor the most intelligent, but the one that responds best to change. We have made the ability to change quickly a key goal of our technology strategy and a key requirement for building a new platform.
The general approach to building a platform can be briefly described with three R's: Rationalize- rationalization and optimization of the current architecture, Rearchitect- creation of a new platform, Rethink- rethinking scale and creating an ecosystem. We are a bank, but at the same time we are looking at other markets. In the strategy, we stated that we would enter new markets, such as healthcare, the car market, we are already working in the real estate market and not only in terms of mortgages.
What are the key requirements for building our new platform
1. Customer centricity. Most of the services and the new approach to customer service require us to know as much as possible about the customer. This is not only what is in our core systems, this is also what is around.
2. Single information space. This is an approach where information is available to our decision making systems in real time.
3. Flexible mechanisms for setting up complex products and STP processes. We strive to get as far away from human participation as possible where possible; use mechanisms such as monitoring our processes and automatically managing failure situations.
4. A very important block is the open API. Accordingly, APIs permeate all platform components. We open an external API for our partners and contractors.
5. Machine learning mechanism. We try to build it into our platform components, and gradually build it into our decision-making system.
6. Maximum reliability 24x7. We are a huge backbone bank, reliability is our everything. Therefore, we spend a lot of effort to ensure that the information system is as reliable as possible.
7. Horizontal scaling on low-end hardware. Our current information systems are stable, powerful and large, but we operate on a large high-end. Many vendors have already curtailed part of their lines focused on the maximum high-end, moving to the mid range, to other architectures. We are also trying to get away from this, to reduce the cost of ownership.
8. Use of open source technologies. Yes we are big bank, we have our own developments, we know how to work with traditional architectures, but we began to gradually move to open source.
9. Storage and processing of data in memory. We had big discussions about whether to use this technology or not. On the one hand, these are big risks, on the other hand, the biggest opportunities in terms of data processing speed. At the latest Gartner Symposium conference in Barcelona, discussions were held with architects and major analysts on how to build information systems, what are the possibilities and limitations.
What is a platform, how do we present it
First, we built the core of the platform and some of the key services that we refer to as a business hub (decision-making system, unified client profile, product catalog). But now we are moving in several directions, including because we are big, it is much more difficult for us to swing.
The platform consists of several architectural layers. At the bottom is the technological core.
From the "lego blocks" you can collect part of the other layers. These are actually reusable components,
that are used at other levels.
The heart of the new platform is the business hub. These are such blocks as the Unified Client Profile,
product catalogue, decision making system. These are the new solutions that we are now building,
which enable flexible customization of processes and products.
Above we have a Unified frontal system. It is important to provide an omnichannel experience for our customers.
The big block is food factories. This includes loans, deposits, and other traditional products. But at the same time, we are developing new complex products, for example, a combination of insurance and credit products.
You can create any business on the platform components
Our goal is to make the platform flexible and customizable so that we can build new components into it. We have already talked about the API and componentization, the service approach at all levels of the platform. It is very important. The platform provides integration and customization at all levels.
What are the key technologies we use
Here are just a few of them:
1. Storage and processing of data in memory. We cooperate with the GridGain company, we go through a rather difficult path, because the other side of the speed of work is the reliability of the system. Some of the elements that are missing in this product, we actually implement from scratch. It's difficult, sometimes the deadlines are shifted, but we are going down this path, because the effect is great scalability.
2. Horizontal scaling on low-end servers. Our entire assembly is x86 machines.
3. Open source. It also hurt quite a bit. We started a few years ago to switch to open source, to learn. In the integration layer, we use solutions such as Kafka, ZeroMQ. As a BPM solution, we use the Activiti open-source solution. We use WildFly as an application server.
If you talk to large companies, most of them publish all their decisions. For example, we studied the experience of Alibaba. Our strategy also includes this. But this requires a certain maturity of ours as an organization. We are now at the beginning of the journey, but we will definitely publish it, because it will give completely different opportunities.
I spoke about the decision-making system - the core and heart of our platform. This part is painful to open from the very beginning. We are going to open parts, starting with non-mission critical components. Our task is to be able to open the code of a certain component so that the community can already refine it. We now have a rather cautious approach.
What is the Unified Frontal System, how do we build it
The main requirement is the implementation of omnichannel frontal scenarios. The complexity here is to a lesser extent technical, to a greater extent - organizational. I am sure that in many banks the organizational structure is such that one person is responsible for remote channels, another person is responsible for brunches and branches, and a third person is responsible for the call center and network. And, of course, when we talk about the omnichannel customer service scenario, it should be applied as much as possible in all channels. To ensure this, it is important to reach an agreement at the level of all those responsible.
We have a large set of tools. We are actively using React technology now. There is also Angular. These are two alternatives. We settled on React.
The integration layer creates an isolation of the front system from the back office and our other information systems. The main challenge is to ensure that customer service across channels occurs in a consistent way. This is our targeted approach. We started the program two years ago, now we are entering the replication phase. There is functionality for branches and a contact center. The next year will be quite actively devoted to remote channels.
Business hub
Historically, each client of Sberbank lived in his own automated
banking system. Now we are moving away from this approach, moving as much as possible to online
client profile, to the master system.
Other important components of a business hub are the product catalog; decision making system;
execution of end-to-end processes; and an integration layer built on Kafka and ZeroMQ.
Accounting services are separated using the accounting engine paradigm, that is, product accounting
separated from accounting.
data factory
This is a new strategic program. We made a big bet on Hadoop and related technologies. There are certain limitations, but we try to overcome them. We use classical solutions. We are also implementing solutions from Teradata.
What is important for the platform is that we have to learn how to push data from the food factory level to the analytical level efficiently enough to do very complex analytics that we cannot do online.
Working with a team
A large vector of changes in the bank is associated with building close interaction between business and IT as part of Agile implementation. We call it Sbergile. On the one hand, we hear each other, on the other hand, this approach introduces more heterogeneity, because the teams run in parallel, they need to be synchronized somehow. In this case, architectural control is very important. But without a common focus on building a new platform, we will not move anywhere. Having taken a new goal, we must comply with it.
The platform is the basis for building an ecosystem
A big direction in our strategy is related to the development of ecosystems. These are the services of our subsidiaries and our partners that we need to develop. The general idea is to give a quick start to those sites that will be part of the Sberbank ecosystem.
A quick start can be given, among other things, by the core of the platform, because some of the elements can be reused. It's about about such services as identification, data exchange, API. These are the blocks that everyone will need. On the other hand, if this new business, then platform elements will help you create a solution faster.
I would like to end with a quote from Mahatma Gandhi that "the future depends on what you do today." So let's do it. We are going this way.
From this conversation, you will find out what exactly Sberbank-Technologies, an IT subsidiary of Sberbank, does, which Telegram channels should be read by an Application Security specialist, and why one should not forget about practice during training.
INFO
Sberbank Technologies (SberTech) is an IT subsidiary of Sberbank founded in 2011. It all started with a team of 500 people. Basically, these were Sberbank IT specialists who moved to work in a separate IT structure.
Today, SberTech employs about 11,000 people in sixteen Russian cities. Key development centers are concentrated in these cities, where regional teams of IT specialists gather: Moscow, St. Petersburg, Novosibirsk, Innopolis and so on.
SberTech is engaged in the development and implementation of software, as well as support for existing IT systems of Sberbank. At the moment, Sberbank is the only client of the company.
Artem Bachevsky, Head of IT systems development in the Application Security department
Tell us what SberTech does, what projects are you currently working on?
Currently, the key project is the development of a new technology platform for Sberbank. It transforms the business model into an ecosystem. This ecosystem will ensure the provision of non-financial services, the connection of partners and contractors, will be able to process large amounts of data in a short time, and will allow high system performance.
Let's take a closer look at non-financial services. About what projects are coming speech?
Such projects already exist, as the ecosystem has been developing since 2016. A full transition to the new technological platform is planned until 2020. Sberbank seeks to move away from providing only financial services and actively acquires partners. For example, "Sberbank-Real Estate" ( Real Estate Center from Sberbank LLC is part of the Sberbank group of companies. - Approx. ed.), Sberbank-Insurance, an Internet service for finding doctors DocDoc, and so on. Thus, the transformation into an ecosystem is carried out. Companies such as Alibaba, Amazon, WeChat are following a similar path.
“Ecosystem” and “technological platform” are beautiful words, but I want to hear more specifics. What is the essence of your platform, what exactly are you developing and why are these technologies outstanding?
The new platform consists of three key programs.
Business Development Support Platform- a universal tool for creating business applications. The bank must become a Marketplace that brings together a variety of tools to achieve the goals of its clients. For this, a foundation is needed - a new platform: scalable, flexible, reliable and open, capable of changing in real time. The development uses the latest technologies of distributed computing in memory and work of applications with large amounts of data in real time - In Memory Data Grid.
Data Factory program is designed to improve the quality, reliability and availability of data for analysis. Bank employees will be able to fully engage in the analysis and interpretation of data without additional labor costs for their collection and reconciliation. Big Data provides work with super-arrays of data for monetization of information and behavioral analysis of customers and employees, for adjusting strategies for working with different segments.
Single frontal system- cross-functional platform, Sberbank's own development. Platform tools provide a seamless cross-channel experience across all products and services. The technology stack allows you to maintain high performance, reliability and security of the user experience. In addition, due to its own API, the UFS allows partners to enter the system, as well as integrate with third-party sites.
Now let's talk about security. Artem, tell us what your unit does?
Our division deals with Application Security - application security. The department is relatively young, about two and a half years old.
Our main duty- Ensuring application security. Basically, these are automated systems that are critical for the bank, but all new mobile and mission critical developments also fall into our area of responsibility.
Now the department employs fifteen people. They can be conditionally divided into three teams: penetration testing team, mobile pentest and internal development. The team brought together employees with different technical backgrounds, mainly from various areas of information security, but there are also guys from IT management and development. Together with our colleagues from Sberbank, we improve the security of the systems we develop, maintain a reasonable compromise between business needs, user convenience, and ever-growing risks in software development.
We achieve all this thanks to the strong expertise of Sberbank and SberTech employees, as well as a mature and fundamental SDL (Secure Development Lifecycle), which takes into account modern tendencies and approaches (Agile & DevOps) in the field of software development.
A team of web pentesters is engaged in the implementation of various practices, analysis of their results and the conduct of the penetration test itself. The mobile pentest team is doing the same, but for mobile applications. There are a lot of mobile applications in the bank, this is not only Sberbank Online, there is also Business Online, corporate services, and so on.
How is this infrastructure built, did you mention SDL?
We try to build the infrastructure in such a way that colleagues who are “in the context of the code” help us in parsing the results of scans, reviewing the code and writing rules for SAST (static application security testing). As part of the continuous value delivery initiative for the client, we ensure application security by bringing the Sec context into DevOps, which is being built at Sberbank and SBT, and without the involvement of teams, this is simply impossible.
The practice of involving developers through security champions has proven itself very well. Security champions are employees in development teams who are interested in professional development in the field of information security in order to increase the security of the AS and reduce the risk of vulnerabilities. This is achieved by increasing the level of competence of AS development teams in matters of information security, replicating practices for developing secure applications, and reducing the duration of the life cycle of an information security defect.
We also regularly conduct various awareness programs and trainings. Once a quarter we have a general awareness for everyone. We have training on diving into secure Java development. The fact is that this is the target programming language in the bank, so the focus is on it. Exactly the same target dives exist for Android and iOS.
Approximately how many hours of training per year do your developers receive?
In the field of security about forty hours a year.
What do you think is the role of education today? Every day there is something new, how to keep up with it?
We teach the basics and do not aim to immediately turn students into experts in the field of cybersecurity. At this stage, it is enough to involve them in the topic and lay the basic knowledge. For example, in the context of Java, these will be secure web application development practices, because in this area a lot is focused on web security.
What does a specialist need to do to always “stay on the cutting edge”?
At a minimum, I recommend subscribing to thematic Telegram channels in order to stay in trend and understand your interests in the profession. Personally, I read HackerNews, Habrahabr and Hacker. You can fork something on GitHub, try it, evaluate it, and then maybe implement it. It is not necessary to dive into the topic as deeply as possible, but you definitely need to constantly try something new.
Also, in my opinion, it is good practice to participate in various CTF and bug bounty programs. You can buy some skills in CTF, and bug bounty allows you to legally “feel” the security of interesting systems.
Of course, studying is good, but in my opinion, you won’t go far on education alone. Indeed, without practice, training is worth nothing, and behind any real experience First and foremost is the real work.
You are absolutely right. Tell us about your trainings and awareness, how is it going?
We try to implement various activities and gamify processes for development. For example, at the ZeroNights 2017 conference, we presented a CTF captcha. It was an interesting competition, where each challenge is a captcha with a logical or software error in the implementation. We invited the conference participants to find these vulnerabilities, which allow solving many captchas in a short time.
The task was simple: it was required to "solve" twenty captchas in ten seconds, in fact, without solving them. Participants should not type all this by hand, they should, for example, implement an SQL injection so that nothing depends on the entered value. For example, in one of the tasks, the captcha could be solved probabilistically - if you drive in the answer “5” all the time, then with a probability of 25% the captcha will be passed.
What is the purpose of such a competition? Few people today implement captchas on their own. After all, there is a ready-made and relatively reliable reCAPTCHA (if it is implemented correctly), but you can make a mistake in implementing this mechanism. If someone still decides to implement their own captcha, then participation in such a competition will leave much less chances for vulnerabilities to appear, since a person could see many errors during the competition. In addition, these problems apply not only to captchas: there are many other mechanisms where similar errors can be made.
Does SberTech have centralized training, for example, are programmers trained?
All employees have opportunities to learn: external (courses and events), internal (meetups, hackathons, regular exchange of experience within teams and departments). Meetups are attended by internal and external experts: for example, one of the latest was dedicated to quantum computing in collaboration with IBM.
For students and beginners, SberTech holds free schools on mobile development on iOS and Android, Java and BPM. Based on the results of training, we invite the best students to work.
Let's move on to practice and your stack. Tell us what it consists of.
We try to find vulnerabilities as early as possible, so we have been using SAST (static application security testing) and DAST (dynamic application security testing) since the first line of code was written. Based on one popular SAST product, we are building a solution that adds Security to DevOps for many automated systems developed at SberTech. We are currently implementing OWASP ZAP in DevSecOps, which will allow us to develop even more secure and reliable applications.
We are also looking for known vulnerabilities in public components. To do this, a utility was created that aggregates the results of other similar tools (OWASP dependency check, Retire.js), and also scans the source code, isolating the components used from it, which are then checked against public vulnerability databases (NIST, CVEdetails).
As a result of manual analysis of bugs, we have accumulated a certain set of data with expert assessment, and we have trained a model (machine learning is so hyped now), which determines the chance of a vulnerability to be true positive. This model helps a lot, because at least it deals with ranking. Let's say the OWASP dependency check has a very low false positive rate, but it produces very few results. Our false positive rate is higher, but due to the ranking and much more results, we sometimes catch vulnerabilities that were not previously detected by other tools.
For systems, where applicable, we use fuzzing - we build an intruder model, a threat model for all systems. We also review the code, namely its critical sections. And of course we do penetration testing.
We do not leave developers alone with bugs, but go through the life cycle of the bug with them, advise on fixing, and test after editing.
And I’ll tell you a little more about the development within our department. At some point, we realized that managing the SDL process is impossible without the Secure Application Lifecycle Manager. Taking into account the certain specifics of the bank (many automated systems, each of which has its own “zoo” of technologies and practices), it was obvious that it was necessary to write something of our own.
Therefore, we have created a product that concentrates all the processes of implementing SDL and maintaining the continuity of processes, data flow management (IS and related). It stores all the data accumulated as a result of various practices and allows you to manage them, automatically "roll" some actions for their smooth replication. It also distributes bugs to various issue trackers, provides interfaces for parsing bugs using our tools. All this ensures the construction of SDL and effective interaction with teams.
On the platform of the Unified Frontal System (UFS), frontal processes are being developed for the Sberbank Online system (mobile application and web version), as well as for branch employees, first-level direct sales specialists. The program to develop this system is one of the key and strategic ones for Sberbank.
2018: Development results for the year
In 2018, the architecture of the UFS, the processes for developing and bringing functionality to the industrial environment were improved, Sberbank said in its report on its activities for the 2nd quarter of 2019. The possibility of multi-versioning was also introduced, thanks to which technological services and client functionality can be developed independently and iteratively in their own release cycles.
The UFS program creates a unified service logic in all channels, based on the principle of omnichannel (photo - svpressa.ru)
As part of the development of the UFS, in 2018 Sberbank implemented the functionality of remote banking services for documentary transactions (letters of credit, collection) through Sberbank Business Online, which allows the client to send applications/requests/letters to the bank at in electronic format, track their status online and see a register of their transactions.
This service allows to reduce the time of customer service for letters of credit and collection and increase customer satisfaction, Sberbank says.
Another key event in the field of UFS, Sberbank calls the start of the stage of mass circulation of the system for all customers in three channels of remote banking services in 2018.
2017: New version of EFS
In 2017, it developed a new version EFS 7.0 platform with higher levels of reliability and performance through support for deployment mode in a multi-unit architecture and Stand-In mode, which provides increased fault tolerance and seamless upgrade functional subsystems platforms. Also, the mass introduction of a new target process for the development of the UFS using “development tools. Sberbank explains that this will allow one team to implement solutions for all channels, reuse the already implemented facilities and services as much as possible, reduce the number of errors due to auto-generation of typical functional blocks, and also reduce the training time for new employees.
The expected effect from the introduction of the targeted UFS development process is to reduce the amount of manual development by half.
In addition, in 2017 the bank determined the quality standard of the UFS platform. Its implementation is monitored by 12 metrics. Using the standard halved the number of errors during the testing phase and made it possible to achieve that 50% of errors are eliminated within 8 hours.
2016: Developers of the Unified frontal system of Sberbank are determined
The general contractor of Sberbank for the creation of the Unified Frontal System is the Sberbank-Technologies company.
Companies with experience in implementing at least three front-end systems development projects since 2013 were invited to participate in the procurement (with a project user audience of at least 10,000 users). Participants of the competition must have at least 40 developers with knowledge of the Java programming language, 20 system analysts, 20 developers with knowledge of the JavaScript programming language, css, html and 5 architects. Participant project team specialists must have Java Senior Specialist (at least 10 specialists) and Oracle Professional (at least 1) certificates.
Separately, the documentation stipulated the maximum rates of specialists:
The overall assessment of the participants' application depended on 50% of the proposed cost of the work and 50% on the quality of the test task.
System Tasks
Employees of bank branches and call center, clients of mobile applications and Internet banking (legal entities and individuals), partners in the sale of bank products work in the system. This system is also designed to manage ATMs and self-service terminals.
The implementation of the system will ensure a unified customer experience by creating a single customer base for all service channels. It will be possible to start the interaction through the bank's call center, and continue, for example, in the Internet bank or in the branch from the moment at which the operation was interrupted.
Another objective of the EFS is to speed up the launch of the bank's new products on the market. In the current environment, when for the management of the Internet and mobile bank, processing, ATMs, terminals are responsible for different applications, updating Sberbank services and products (for example, changing the deposit rate) throughout the country can take several weeks. The goal is to reduce the time to one day.
Also, as expected, the UFS will reduce the time of operations, simplify the interface of department employees, speed up adaptation to the work of newcomers, and reduce the number of errors.
ESF Program Guide
At the end of 2018, Alexey Poddubny became the head of the Unified Frontal System program. According to TAdviser, he was appointed to this position after Elena Baturova, who previously managed the EFS project, as well as Vadim Sharobaev, who under her leadership was responsible for this project at Sbertech, left Sberbank. Read more.
- Economic security of the Russian Federation Political economic security of the Russian Federation
- Antimonopoly policy, its goals and methods The main direction of the antimonopoly policy of the state is
- What reforms did Witte make briefly
- Okun's law and the theory of "full employment" of the population