UK banks must raise quality of code to avoid future outages
Mon 8 Feb 2016
Vishal Bhatnagar, senior vice president and country manager at CAST UK, writes about the importance of software quality and UK banks’ negligence in this respect…
A recent spell of outages at leading UK banks has served to draw attention to the lack of IT visibility in these institutions. The systems used by some of these groups have been built up over the course of decades and are extremely convoluted. To meet ever-changing business requirements and customer demands, new banking applications and functionality are just added to outdated legacy systems, which are simply not designed to accommodate them.
New services such as online banking, contactless payments and Apple Pay now offer customers the most convenient banking options available in the sector. However, the addition of each of these new applications has increased risk, and systems have become so complex that discovering potential vulnerabilities is almost impossible using traditional methods alone.
Typically, software quality assurance revolves around functional and load testing and some manual code review, but these approaches do not account for system-level structural faults hiding deep in the code. These could remain undetected for years until new functionality, such as online payments, triggers a fault potentially resulting in the system falling over completely. Traditional software quality assurance is useful for software development, but is far less useful for software maintenance on ageing platforms. It appears today that the big UK banks do not have sufficient visibility over their software architecture to find and address these structural weaknesses before they cause disruption.
Analysing code quality
Tackling this shortcoming, organisations must first review and quantify their software quality. The ability to quantify elements such as reliability, security and complexity is vital to understanding software integrity. Attributing numerical values using metrics also means that organisations can ensure objective decision making against industry benchmarks.
Code quality standards, such as those agreed by the Consortium for IT Software Quality (CISQ), enable companies to compare their source code against a recognised benchmark and undertake a thorough analysis. Measuring software quality against these standards helps detect poorly written and potentially damaging code, and assess technical debt which estimates the spending required to improve quality to an acceptable standard. Initially, these measurements would need to be carried out at every release until the quality and technical debt are brought under control.
Using such architectural and structural analysis tools in accordance with the CISQ standards allows executives to identify which applications present the greatest risk to their business or will involve the highest cost to maintain. These measures can also be used externally to set service level agreements against outsourcer agreements with greater accuracy, saving costs while improving quality.
Automating the analysis of software and coding for banking IT applications and examining the multiple layers of complexity presented by different components can rapidly identify potential challenges and the IT vulnerabilities the UK banking sector faces.
Measuring the software risks facing the banking sector’s critical IT applications helps in making objective decisions about whether wholesale IT transformation should take place, or if a programme of change by evolution will work best.
Measuring against software quality standards at every release, for example, measuring code compliance to secure architecture and inserting CISQ software quality measures into contracts with outside developers or software vendors to track established outcomes will mean in the long term the business isn’t exposed to unnecessary business risk.
Ensuring maintained quality
There are several important measures organisations can take to ensure software quality standards are maintained. Firstly, companies must conduct structural testing of all software before deployment to avoid costly rewrites.
Secondly, updates and patches have led to glitches at some major UK banks, so any amends of this type must be undertaken with care and new software quality should be tested from a structural, as well as functional perspective.
Furthermore, organisations must judge software quality against common software quality standards to measure reliability, security, performance, efficiency and maintainability.
Lastly, it is important to review agreements with external software vendors and services providers to ensure the product meets appropriate standards. This also extends to software updates and patches.