Devs bashing out crappy code is making banks insecure – report

The rush to improve system functionality is leading developers to knock out subpar code, posing a threat the security of major systems around the world, according to an extensive report.

The software quality of financial applications is worse than that of those in telecoms and retail, according to the report.

The study (requires sign-up) by software firm CAST analysed more than one billion lines of code across 1,850 applications in eight countries, mainly in financial services, insurance, telecommunications, and manufacturing.

It found that that up to 40 per cent of the applications, were below the standard for security. The threshold rates applications' ability to withstand unauthorised entry, deceptive interactions, theft of data, or breach of confidentiality.

Geographically, the UK scores the lowest out of all regions. France scores best.

The findings are surprising, not least because financial service firms are regulated and run the risk of huge fines if security problems in their apps ever result into problems.

Bill Curtis, senior veep at CAST, said those applications are mostly customer-facing - and have a lot of opportunities to get hacked into. "The trade-off for organisation is how they spend their time: do they fix the current problems or introduce new functionality, which is what the business is urging them to do," he said.

"Lack of security architecture combined with porous code in legacy systems produce easy targets for hackers. This is especially concerning in Financial Services applications," said Curtis. "Despite the push to ‘go digital’ our CRASH Report findings indicate there is a significant amount of bad code lingering in enterprise systems. The takeaway for IT is clear: poor software quality is exposing many businesses to excessive risk."

Lev Lesokhin, executive veep of strategy and analytics at CAST, said: "There is a lot of risk lurking in the code, it is heavily protected by walls around it. But there is still this soft middle that can breached in a lot of cases."

Previously CAST found that applications in the UK financial services sector had huge amounts of legacy code, making it prone to major outages. It found another major banking outage similar to the RBS disaster back in 2012 is likely to happen again in the UK, given the amount of legacy code in the sector.

Lesokhin noted that the outage situation is continuing to get progressively worse.

He said the problem for banks is tension between developers who have their hands in the source code, and the operations team that run the systems.

"We saw one example of a telecommunications company in the UK that had to keep rebooting the server for one of its consumer-facing systems everyday because there was not enough memory on it.

He cited another common example of ops guys being pulled off projects to fix all the problems introduced by developers when systems go through a quarterly refresh.

"This is what the ops guys have to do to make crappy software stand up. The problem is the dev teams are so far behind to make things to be able to make them bullet proof. That is costing banks a lot of money."

The CAST Research on Application Software Health (CRASH) study involved the analysis of 1.03 billion lines of code across 1,850 enterprise applications run by 329 organisations such as banks, insurers, government departments in eight different countries. The health factors measured in the report look at five traits: robustness, security, performance efficiency, changeability and transferability.

The technology that generated the data in CRASH Reports measures the number and severity of violations of good architectural and coding practice. These defects risk operational problems such as outages, performance degradation, unauthorised access, or data corruption.

The findings reveal a team size "sweet spot". Code development teams of under 10 people perform best across most areas of structural quality.

The best scores came from teams that developed software using a hybrid method that combines practices from both Agile and Waterfall methods. The lowest scores were obtained by those reporting use of "no method".

"By combining up front analysis and design of application architectures with rapid feedback on defects during short, iterative coding sprints, hybrid methods produce higher structural quality than Agile or Waterfall methods alone," according to CAST.

The report urged greater attention be given to secure coding practices as many applications had scores that "were unacceptably low."

Of the applications analysed, 40 per cent used Java-EE, 22 per cent COBOL, and 10 per cent .NET, along with numerous other technologies such as ABAP, JSP, Oracle.

The mean size of applications in the full sample is 554,782 lines of code. ®