In this article, Adam Brown, Managing Security Consultant at Synopsys Software Integrity Group, analyses the myths that linger in the financial services industry regarding application security and debunks each one in an effort to provide clarity and guidance.
As organisations work to transform their application security (AppSec) practices, they continue to struggle to implement tools and processes that can scale and keep pace.
Complexities of managing and maintaining open source, along with the adoption of cloud-native architectures and their associated microservices increase the level of difficulty. Supply chain intricacies make it difficult to get a full picture of an organisation’s risk profile. As such, it’s no surprise that AppSec continues to be an increasingly complex challenge for organisations adopting modern development practices.
This is especially true for the financial services industry (FSI), where the stakes are high. In 2019, the global financial services market was valued at $22 trillion. Financial services firms are often high-profile targets and exploitation opportunities are abundant.
In the shadow of unrelenting real-world challenges, these firms are often a first-choice target for attackers. During the first year of the COVID-19 pandemic, over 70% of financial services firms experienced a successful cyber-attack, and COVID-related business conditions were perceived as being to blame. In the event of a breach, companies must cover millions in losses. In 2019, the average cost per breach was $5.86 million.
Problems that existed before COVID, like supply chain risk management, budgeting and resource constrains, and a lack of security training, have only worsened.
There are many myths and misconceptions that linger in the financial services industry regarding application security. So we used the 2020 “Building Security in Maturity Model” (BSIMM) report research data to debunk and explain three of the biggest myths, in an effort to provide clarity and guidance.
Myth 1: Financial services firms are secure because they must be
The general perception of financial services is that the industry is secure. This is based on no evidence or data, but rather on the belief that as the gatekeepers of everyone’s sensitive data, it simply must be secure.
Because the industry is highly regulated, financial services firms tend to be very good at remaining compliant. This has helped lull security leaders and customers into a false sense of security. While an organization may indeed gain short-term comfort from successfully meeting compliance requirements, long-term problems arise when organisations fail to scrutinize their security practices beyond compliance.
The reality is that financial services firms are not necessarily as secure as you may believe.
In a recent independent study commissioned by Synopsys with the Ponemon Institute, “The State of Software Security in the Financial Services Industry,” the findings highlight the misconception of FSI security. Ponemon discovered that 50% of financial services firms experienced data theft due to unsecure software. This undoubtedly stems from the fact that only 34% of FSI software is tested (beyond penetration testing) for security vulnerabilities. And only 45% of financial services firms believe they have adequate security budget to address their risks, while 76% say it’s difficult to detect security vulnerabilities in financial software systems before going to market.
Myth 2: Financial software is different than other software
A lot of financial services firms still believe their software is inherently different from other types of software, and it’s therefore incapable of change. The perception is that what has worked in the past will continue to work.
In reality, there are no special snowflakes.
The authors of the first BSIMM back in 2008 thought this too and anticipated needing two models, one for how banks write software and another for how tech firms do it. However, after interviewing the original 9 participants of the first BSIMM and analyzing the data, it was found that a single model applied to all organisations who develop software. Financial software is written, managed, and tested in the same manner as any other software. It is, after all, software.
Many financial services firms have a conservative attitude to adopting new processes, methodologies, technology and culture. Outdated development models inhibit development velocity and hinder go-to-market speeds. Organisations that refuse to adapt to the modern software landscape will fall behind if they have not already. New tech companies on the other hand are fast to adopt or started with new approaches.
Myth 3: You control everything that’s in your deployed software
Many financial services firms believe they have a good understanding of all the components and elements in their deployed software. But knowledge of everything in a software stack is not a complete picture of everything going into production—not even close. Even larger financial services firms struggle with this misconception.
In reality, you have an incomplete picture.
Today, all financial services firms use some form of open source software, and it covers a broad range of AppSec activities and environments. From Docker and Kubernetes to supply chains, cloud deployments, and shared responsibility models, you need to understand all the code and every component in your environment. Mastery of exactly what you’re deploying and each of their respective security stances is critically important.
Financial institutions are often seen in a league of their own. As the bearers of a wealth of sensitive information, they are held to a higher standard than most. The pomp and circumstance that comes with this exceptionally regulated industry then creates the perception among the general public as well as those within it, that they are more secure, and possess technologies and software unique to other industries. However, the reality is that they are really no different from everyone else, though they do continue to represent high-profile targets.
It isn’t enough to meet a compliance audit once a year and call it a day. These institutions must recognize that they are very likely employing some form of open-source software, which requires their attention. If we can successfully bust these myths, we will all be one step closer to more secure AppSec practices within the industry.
Adam Brown, Managing Security Consultant, Synopsys Software Integrity Group