Banks are improving application security, so what’s next?
December is often a reflective month, when organisations take stock of what’s been achieved over the past year and outline their ambitions for the year ahead. It’s obvious that 2020 has been a year like no other, not just in the world of application security. So how are banks faring and what’s next in 2021?
The pandemic caused banks to rethink their IT strategy in an accelerated manner. To stay nimble and digitalise faster than the competition, one industry-wide change we saw was that businesses began hosting more of their applications in the cloud. To ensure these applications were secure, banks and other financial services organisations were diligent in their application scanning efforts. Our data shows the industry achieved nearly 200,000 application security scans in July 2020, which is a record.
This rapidly changing business landscape has accelerated the speed of digital transformation for many. While this technology-powered evolution is a positive milestone for financial services, it may also mean the speed of transformation outpaces the speed to remediate existing code vulnerabilities. This creates security debt – defined as the amount of software flaws identified but left unresolved – and means that the longer flaws linger, the less likely they are to be prioritised, and then fixed.
A beacon of app security best practice
Cyber security is taken very seriously by financial services organisations, and according to research from Ocorian,
UK banks are spending £6.7 billion each year to prevent cybercrime. Although banks have invested in application security measures, there are still some security challenges left unaddressed. In fact, one of the most prominent pain points within the industry stems from security debt. Each unresolved flaw in an application adds to an organisation’s risk exposure if it is not addressed.
The State of Software Security Report volume 11 (SoSS) revealed banks and other financial services firms have the best software fix rate of all sectors, with 75% of flaws resolved. This sector also appears to be doing a better job of reducing flaws related to cryptography, input validation, Cross-Site Scripting and credentials management. However, it is among the slowest to resolve flaws; the median time to resolve half of the flaws found in financial services applications is more than six months (198 days). The demands of accelerated development timelines mean some applications are inadequately tested, if tested at all. Comparatively, the healthcare, retail and technology sectors all remediate flaws faster.
With the growth in new applications and increased potential to overcome emerging risks, financial services firms should be prepared to embrace a secure modern, scalable infrastructure. Put simply, the more secure the software which supports their digital transformation projects, the more likely it is that their applications will become a critical differentiator for customers.
Nurturing improved app security practices through DevSecOps
A typical IT architecture found in financial services organisations is comprised of many layers of interwoven modern and legacy applications, which have been blended through previous mergers and acquisitions. Some have called this “spaghetti code”. As one of the earliest adopters of technology, banks tend to have the oldest applications compared with other industries and this complexity provides a challenging development environment for improving application security.
Application security behaviours are also haphazard, as financial services firms seem to be middle-of-the-road for scanning frequency and integrating security testing but are very consistent with the cadence of their scanning activities. They are not likely to be using dynamic analysis scanning technologies to uncover vulnerabilities but are the best at using software composition analysis (SCA) compared to other industry sectors. This suggests for many financial services firms, developers face a challenging environment, with the adoption of DevSecOps practices showing the most opportunity for improving the programme.
Provide control through embedding security into developer workstreams
As we head into 2021, the heightened focus on digital transformation is unlikely to disappear as financial services firms conduct business in the new normal through digital-first channels. This will put additional pressure on the on-premise programmes traditionally used in the sector that are difficult to operate remotely. As a result, IT, development and security teams could benefit from a Software-as-a-Service-based (SaaS) approach to application security, which allows for greater flexibility to scale and automate scanning while still delivering fast results that enable quick fixing.
From our experience, when developers can’t control their environment and don’t adopt best practices for secure coding, there is a negative impact on software security. Organisations which give their developers more control with the tools, training and speed to address vulnerabilities directly within their workstreams are not only more secure but can also innovate at speed. Beyond the testing of new applications, app security teams should also review the management of their current software supply chain to improve security for their customers and reduce the risk of being breached.
In digital banking, customers are making important transactions with their fingers on their smartphones and selecting providers based on user experience, personalisation of product offers and service delivery. These elements underline the importance of application innovation and security, combined. When financial services organisations are able to integrate a culture of security into the development workstream and use real-time scanning delivered through a SaaS solution, they can innovate faster whilst simultaneously reducing security debt. That’s an encouraging thought for Fintech companies which are operating in an increasingly hostile cyber climate.