Bank code quality is below par, according to CAST app data
The software firm has benchmarked 1,850 apps from 329 firms on different criteria of structural quality, including robustness and security. The widespread use of COBOL by banks is one reason they underperform, says CAST’s Lev Lesokhin (pictured).
Software coding in the financial services industry is less secure than in other industries, and also ranks lower on other benchmarks for structural quality, according to a database gathered by CAST Software, the New York-based software vendor, from its client firms. In total, the results from 1.3 billion lines of code are in the CAST database for its 2017 survey.
The results, and in particular a low score for the security “health check” derived from the data, underscore the need for financial firms to review the way both their internal teams and their outsource partners are developing their apps, and in particular the coding platforms and practices they are using. Other issues – such as the proliferation of legacy systems at larger, older, financial firms – may prove the most challenging.
CAST’s database is based on system-level analysis of apps conducted by clients in different industry verticals and different geographies. The benchmarks for measuring the structural quality of the software are based on the extent to which it violates good architectural and coding practices in five areas: robustness, security, performance efficiency, changeability (the difficulty of modifying applications) and transferability (the difficulty of understanding the app, and transferring work).
The key metric is a “health-check” score out of 4.0 points, with scores of less than 3.0 considered bad. Based on a total sample of 1,850 apps, the mean scores across different industries were 3.20 for robustness, 3.22 for security, 3.15 for performance, 3.03 for changeability and 3.00 for transferability. In each of those five categories, the software used by financial firms was rated below those mean scores; at 3.13, 3.15, 3.05, 2.99 and 2.97 respectively.
In fact, the structural quality of financial firms’ software ranked behind that of all other major industry verticals, including telecoms, manufacturing, retailing and energy. Software developed by governments and their agencies scored highest in all five categories.
The data cannot fully explain why financial code underperforms, said Lev Lesokhin, executive VP for strategy and analytics at CAST, but the widespread use of the COBOL coding language and the plethora of legacy systems at banks are likely to be major contributing factors.
“The results surprised us,” said Lesokhin. “We have a lot of data behind the results but we don’t necessarily have the reason why. One of the potential issues though is that financial firms – especially retail firms – have a lot of legacy systems. They are having to create interfaces with new apps all the time – with mobile and web apps for example – and one of the key issues with security is protecting those interfaces from attackers.”
The widespread use of COBOL for financial software is likely to be a key reason why financial firms score poorly on changeability and transferability, said Lesokhin. Across the CAST database, around 40% of software is produced on the Java EE platform, while COBOL accounts for 22%. However, while their use of financial firms in the database use a far higher proportion of COBOL for their code, at 48% . Financial firm’s use of Java EE is in line with the cross-industry average at, 41%.
The problem is that applications built in COBOL and Oracle Server exhibited the lowest “health” scores on most factors, notably on changeability and transferability scores. “It’s not that COBOL forces you to write in code that is less transferable,” said Lesokhin. “But it is typically used by banks and other large financial firms to write thousands of procedures. It’s a very procedural language that does not lend itself to modular work.”
While the cyclomatic complexity inherent in COBOL makes it difficult to achieve a good score for the CAST health-check for transferability, so too do coding languages that are based on “monolithic” procedures that attempt to capture broad business processes; sometimes over-simplistically. The best balance, said Lesokhin, lies somewhere in between the two.
Similarly, another conclusion of CAST’s research is that a hybrid of Agile and waterfall development practices is a better way to achieve continuous delivery for apps than choosing one exclusively. Hybrid approaches scored higher than both Agile and waterfall in the cases of bother the robustness and changeability “health-checks” across different industries.
And while the data showed that younger firms (again across industry verticals) tended to produce lower health-check scores, smaller development teams – of 10 people or under – typically perform best in terms of the structural quality of their software. Large teams of teams of 20 or more consistently perform the worst in terms of structural quality.
For information about CAST Software’s New York Software Risk Summit, featuring guest speaker Frederic Veron, Enterprise CIO at Fannie Mae, see here .