Veracode’s latest State of Software Security report (SoSS) revealed financial services is one of the slowest industries when it comes to addressing common vulnerabilities found in software.
The global report found financial services companies took 29 days to address a quarter of their vulnerabilities in coding - and over a year - 573 days - to remediate all open vulnerabilities. It also ranked as second to last of all other sectors in terms of speed to complete flaw remediation.
A significant 67% of current applications used by banks are at risk from information leakage attacks, wherein an application reveals sensitive data that can be used by an attacker to exploit a web application or its users. This is worrying given the IT outages occurring within the global financial services industry.
In spite of this, Veracode’s report did reveal that the largest population of applications scanned came from the financial vertical. While financial organisations tend to have the reputation of having some of the most mature overall cybersecurity practices, Veracode’s data shows they struggle like the rest to stay on top of application security. The industry ranked second to last in the major verticals for latest scan OWASP pass rate, and based on the flaw persistence analysis chart, it is leaving coding flaws to linger longer than other industries.
Even as it is prolific at testing, the financial sector tests almost as many apps as the technology sector, the sector in general is still slow in responding to responding to open vulnerabilities. Additionally, the banking sector addresses the first half of its open flaws slowly, but it starts to pick up speed once it passes the halfway point.
“We would presume financial services would address flaws and potential doorways to data breaches promptly as it’s a highly regulated industry,” said Paul Farrington, Director of EMEA and APJ at Veracode. “However, we have observed several downfalls over the last year that suggest banks may not as be as technically robust as they like to make out. Historically, we've witnessed the likes of the TSB IT outage occur due to legacy infrastructures and code left over from multiple mergers, which lead to IT outages.”
It’s a tough job for banks to coordinate cybersecurity awareness so it’s at the forefront of employee’s minds. “These banks are large organisations with high headcount so it’s possible that banks are not raising of the importance of these crucial data leakages internally,” Farrington continues. The sluggish speed to which banks initially respond to vulnerabilities could be an indication of bureaucracy that may impede initial progress, but which is likely overcome once security teams and developers collaborate more to cut through the red tape.