Old, complex code could cause another UK banking TITSUP – study
Blighty has 900k lines of code per mission critical app, one-third above world average
Another major banking outage similar to the RBS disaster back in 2012 is likely to happen again in the UK, given the amount of legacy code in the sector, according to research.
The average mission critical banking application has around 600,000 lines of code, according to a study by software firm CAST which analysed systems and applications at the source code level across the world.
However, in the UK mission-critical banking apps have between 800,000-900,000 lines of code. Greater complexity of systems makes it harder to get a full picture of organisations' architecture and can cause more glitches.
Lev Lesokhin, CAST's senior vice president of strategy and analytics, said: "In consumer banks, there are core components been there for a long time. Even if something has been written in Java in 90s that is still 20 years ago."
He said: "In the UK it seems there is a more lackadaisical approach to employing software engineering techniques."
Lesokhin said that banks typically experience between 20-30 incidents per month, adding: "I've seen no evidence of that number changing over the last decade. I would imagine it is only a matter of time that we see another major incident when you look at the odds."
The UK's banking sector has seen a spate of outages caused by IT cock-ups over the last five years. Most notorious was the 2012 RBS and NatWest outage which affected at least 6.5 million customers in the UK and lasted for weeks.
In 2014 the banks were slapped with a £56m fine by regulators, who warned that the disaster could have threatened the stability of the entire financial system.
According to the report from CAST, which is titled Crash, organisations from the United Kingdom deliver applications at the highest risk (lowest security scores). Continental Europe generally records the best scores for this measure.
Lesokhin said greater quality assurance is needed over developers. "Applications teams are responsible for making systems complex – but that is often being driven by the business. Business guys are looking at the competition and panicking and throwing requirement at the software guys. That means they don't have time to pay down technical debt."
He said: "Some organisations are putting a tithe on all new projects, any new project business asks for there is a 10-15 per cent charge on that project to fix architecture, technical debt. As it is causing the applications not to be structurally sound. In the end it is the CIO's responsibility, because they are in charge of systems and the level of risk they are being exposed to." ®
*TITSUP = Total Inability To Support Usual Performance
Sponsored: Becoming a Pragmatic Security Leader