Why code reviews matter when developing financial software, and how to do them well

When developing financial software, code reviews are critical, because whether or not they are mandated by policy or law, they help to find and sort out issues early. After all, introducing software with problems is expensive, time-consuming and a very real business risk. Code reviews encourage better, more consistent coding practices across teams (important for new developers who are still honing their skills) and provide information for audit or compliance purposes. It is no wonder that code reviews have become a de facto process for many development teams, including those who have adopted DevOps, because they help achieve both quality and faster time-to-market. 

However, code reviews vary in the method used, their effectiveness, and there is no one-size fits all. A code review could be performed before code is committed to a shared repository, or afterwards (sometimes called a code audit), or both before and afterwards. If a product includes a build phase, it is also necessary to consider whether a code review happens before or after the build. Modern code reviews are partially automated using test and analysis frameworks, or — coming up in the near future — supported by AI and ML. 

Challenges

Making sure that code reviews can scale is a major consideration, while not becoming a bottleneck that gets in the way. Dimension of scale dimensions to consider include: the amount of people involved, projects, branches, repositories involved, lines changed and so forth.

For a very small team, code reviews should be easy and as simple as asking a colleague to look at some code that has been written and provide some verbal comments. There are some huge benefits to face-to-face code reviews, because people are having a ‘real’ conversation and develop a relationship with mutual understanding. 

However, as projects, complexity and teams grow, code reviews become harder to achieve, especially to balance quality, consistency and speed. The more variants there are, the greater the risk that issues may not be discovered, corners cut, or coding practices become inconsistent. Traditional code reviews can also risk becoming subjective and a matter of personal opinion.   

When teams are distributed or remote (which quickly became the new-normal), then it can also become very hard to keep control of what has been reviewed. If those challenges are not addressed, then code reviews can become as much a hindrance as a help, and its contribution to DevOps or Agile methodologies undermined. 

In financial services, organisations not only have to ensure that code has achieved certain quality standards and compliance, they need to be able to show and prove that those goals have been met. How easy is it to prove traceability of what has been reviewed, when and by who, what was the outcome of any discussions or issues unearthed?

Best practices

Fortunately, there are some tried-and-tested techniques to improve the quality of code reviews. For instance, communications are everything: it is important to give clear and rapid feedback during code reviews. That can be difficult when working remotely across different timezones, but the value cannot be underestimated. 

Make sure that there is clear visibility throughout the code review. Consider using collaboration tools that are designed to simplify code reviews, adding benefits rather than lots of extra workload that gets in the way. They can also spot and alert any bottlenecks, and help to remove some of the subjectivity of personal opinion. This becomes a ‘single source of review truth’ that provides a view of the latest version of the code, as well as its history and the conversations that led to the current state.  

Look for automation features that fit in with workflows and integrate into other DevOps tools. For instance, a team might be using Jenkins to run code builds, so a code review tool would need to integrate seamlessly with Jenkins. 

However, code reviews are about team culture, not tools, and contribute towards coding skills. Encourage everyone to view code reviews as part of on-going learning and improvement. Code reviews can be a useful way for more senior developers to mentor juniors, or for those senior developers to learn new things themselves. Code reviews can help uncover areas where additional training may be required to upskill certain contributors. 

A look towards AI and ML in code reviews

Replacing current methods of code reviews by using an intelligent bot is still a long way away. However, there are some initiatives already afoot and the theoretical benefits are exciting. By using AI and ML to learn, teams could receive more actionable insights, metrics and other advantages that algorithms make possible. 

While it is early days for these AI and ML tools, as they become increasingly integrated into the developer environment, we can expect more rapid user adoption. In the meantime, there is much that banks and other financial services organisations can do to improve their code review processes right now, to help maintain velocity of software development and delivery, in increasingly large-scale, complex and distributed environments.