Next event:

Technologies for DevOps, Test Automation and AI: The QA Financial Forum Paris 2019

8 October, 2019
News and research on financial software quality assurance and risk management

QA VectorⓇ Research: financial firms should “consider a spectrum” of release frequency

5 September 2019

In its latest State of Software Supply Chain survey, Maryland-based software company Sonatype asserted that development teams should aim for a minimum of four releases every year – but the optimum number of releases ultimately depends on what product owners want to achieve, says QA VectorⓇ Research.

“There’s no one-size-fits-all for financial firms,” said Shane Hill, QA VectorⓇ Research Director. “Financial infrastructure firms need to apply a spectrum based approach. An ideal strategy tends towards monthly, though for classes of heavily legacy applications, quarterly releases carry the least risk."

Updates to systems of engagement lend themselves to more frequent releases than changes to the mainframe or middleware. Maintenance updates should be released fortnightly and new features monthly.

To be able to support such regular releases, according to Hill, companies must continuously modernise their CI/CD pipeline, to become more agile. This means creating the right environment, equipped with effective release machinery and management. The recent partnership between software services provider CloudBees and Google Cloud, for example, aims to deliver a DevOps cloud platform which will enable organisations to modernise their applications in a hybrid environment.

From its research, Sonatype concluded that a higher frequency of dependency updates statistically results in more secure code, empowering components against attacks to the supply chain. This is especially important, according to Sonatype, because adversaries are now taking advantage of an attack vector whereby vulnerabilities can be injected directly into open source project releases.

These attacks are particularly high-risk for financial services; when malicious code infiltrated the build chain of cryptocurrency wallet Agama in June 2019, it endangered over $13m in cryptocurrency assets.

"In principal, more frequent releases enable financial firms to improve their software risk management," says Hill. "Effectively defining the right release frequency relies on firms assessing their current mix of legacy applications, maturity of release management infrastructure, skills and processes."

Get the latest
by email

Newsletter Sign-Up
First Name*
Last Name*
Email*

I understand my contact details will be entered into your database and used to contact me by email with QA Financial's newsletter. See our privacy policy here.

Opted-in to receive newsletter
Source - newsletter sign-up form