Following the QA Financial & E-Commerce Forum New York 2025, which took place May 14th in the Big Apple, we sat down with one of the conference’s key speakers, Nicole Nunziata, the director of TechOps at Varo Bank.
Nunziata is charged with maintaining the platform supporting Varo’s banking application, corporate IT and developer tooling. A critical part of this work is creating the testing framework used by all engineers.
Having spent the last 12 years in financial services, in a variety of roles focusing on seamless deployments, minimizing risk and creating a highly available customer experience, Nunziata’s favourite thing to do at work has become building high performing, tightly connected teams.
At the summit, Nunziata spoke about secure coding and IT risk management at Varo Bank. In 2020, the bank became the first FinTech business to be granted full national bank charter status by the OCC.
Nunziata explained how Varo has created an IT risk framework that has embedded secure coding practices and the OCC’s evolving compliance requirements while remaining a lean and cost efficient digital business.
Could you please explain the key components of the IT risk framework implemented at Varo Bank, and how secure coding practices were integrated into it?
Varo employs a rigorous software development lifecycle methodology, incorporating control points at each phase. The development pipeline mandates that all production code undergo unit, integration, and security testing prior to transitioning through successive environments. Any security test that fails must be remediated prior to moving to the next environment. Varo trains all software engineers annually on secure coding practices using courses based on OWASP guidelines.
“Any security test that fails must be remediated prior to moving to the next environment.”
– Nicole Nunziata
What were some challenges Varo Bank faced when aligning its secure coding practices with the OCC’s compliance requirements, and how did you overcome them?
We realized we needed to create a process to evaluate and rank potential vulnerabilities. This prioritization allowed us to include remediation into our roadmap and was a skillset we needed to develop, as it is not common in software engineering.
Why did Varo Bank prioritize open source tools within your technology operations, and how did you assess their safety and economic viability?
We leverage open-source libraries to decrease development time and increase flexibility over commercial software. We are aware of the risks associated with dependency management and vulnerabilities and have proactively implemented tools to mitigate these risks. Our Risk team and I collaborated on an open source software assessment to identify potential gaps in our usage model. We intend to incorporate this assessment into the risk management schedule.
How do you balance maintaining a lean and cost-efficient digital infrastructure while ensuring robust security and compliance?
We begin with automation as our strategy. Adherence is simpler when security and compliance controls are part of the development pipeline. For anything that can’t be automated, we use routines and dashboards to maintain transparency.
What lessons have you learned from Varo Bank’s journey in becoming the first FinTech business to obtain a full national bank charter regarding secure coding and IT risk management?
Security and IT risk management should be integrated into the initial stages of development, rather than added later. It is essential that engineers possess a foundational understanding of risk and controls pertinent to financial institutions such as PCI, data privacy, and information security.
Anything else you would like to say or share with our readers?
There are always opportunities for improvement and companies can leverage multiple frameworks for assessing the current state to chart a path toward greater maturity. I’m excited to learn new technologies in our space.
Why not become a QA Financial subscriber?
It’s entirely FREE
* Receive our weekly newsletter every Wednesday * Get priority invitations to our Forum events *
REGULATION & COMPLIANCE
Looking for more news on regulations and compliance requirements driving developments in software quality engineering at financial firms? Visit our dedicated Regulation & Compliance page here.
WATCH NOW
READ MORE
- Antithesis swells finserv footprint as autonomous testing gains traction
- Deep Dive: will AI replace QA teams, or simply make them more valuable?
- BrowserStack snaps up Requestly to expand open-source testing
- Eximius leads pre-seed round in rising QA star DevAssure
- AI testing takes centre stage in Bank of England’s data transformation
