As we’ve recently covered, cybersecurity in financial services is having a challenging time keeping up with the rate of technological change. A survey conducted by the Ponemon Institute (on behalf of electronic design automation and software security company Synopsys) found that more than half of the financial services companies they surveyed suffered data breaches or system downtime due to attack.
The biggest challenges cited by those surveyed include stopping cyberattacks, managing risks in their supply chain, and assessing software for security issues after release or very late in the development process.
The State of Software Security in the Financial Services Industry report concluded that financial services firms must increase their attention toward cybersecurity, improve secure software development training, put into place more automated tools, and better manage open source components.
These organizations are still building needed software security skills and resources, and while most provide some form of secure development training for software developers, only a small percentage require or mandate such training, the report stated. To understand the effectiveness of their security controls, most of the organizations surveyed rely on their own internal assessments, rather than models such as the Building Security in Maturity Model or the Software Assurance Maturity Model.
The biggest catalyst for software vulnerability creation is the fact that vulnerability testing is taking place very late in production. Unfortunately, most of the financial services firms surveyed report running their software security testing after applications are released. This is probably owing to a lack of application security expertise, concerns about costs, and a fear that security processes earlier in the software development life cycle might impede development and slow response to market conditions,” the report said.
In fact, less than 50% of respondents said software security assessments occur during design or development and testing, and only 25% were confident that their organizations can detect security vulnerabilities in their financial software and systems before release.
While most financial services organizations develop their own software inhouse, more are turning to third parties, the report said. “While nearly three- quarters of respondents surveyed in our report are gravely concerned about the possibility of security vulnerabilities introduced by third-party suppliers, less than half of their organizations require third parties to adhere to specific cybersecurity requirements or to verify their security practices,” the report said.
The survey found that few financial services companies have an established process to inventory and manage internal, or third-party developed, open source code. “The lack of open source management exposes organizations to additional risk from vulnerabilities in the open source components in their applications,” the report said.
The report found:
- More than half of respondents have experienced system failure or downtime (56%) or theft of sensitive customer data (51%) due to insecure software or technology. Unsurprisingly, the study shows that more organizations are effective in detecting (56%) and containing (53%) cyberattacks than in preventing attacks (31%).
- Nearly three-quarters (74%) of respondents were concerned or very concerned about the security posture of third-party software and systems. Despite this concern, only 43% of respondents said their organizations impose cybersecurity requirements on third parties involved in developing financial software and systems. Furthermore, only 43% of respondents said they have a formal process for inventorying and managing the open source code in their software portfolios.
- While most organizations follow a secure software development life cycle (SDLC) process, respondents reported that their organizations test, on average, only 34% of all financial software and technology developed or in use by their organization for cybersecurity vulnerabilities. For the software and technology that is tested for vulnerabilities, only 48% of respondents reported that security testing occurs in the pre-release phases of the SDLC, such as the requirements and design phase or the development and testing phase.
The Ponemon Institute was commissioned by the Synopsys Cybersecurity Research Center to conduct the independent survey of current software security practices in the financial services industry. The goal was to understand the industry’s software security posture and its ability to address security-related issues, Synopsys said. For the report, Ponemon surveyed more than 400 IT security practitioners in various sectors of the financial services industry, including banking, insurance, mortgage lending/processing, and brokerage. Participant job roles included application deployment, application development, and providing services to the financial services industry.
The report concluded that no single approach, tool, or service will ensure complete security coverage for any FSI organization. The only “correct approach is the one that aligns with, supports, and protects the business, the report concluded.”
“The majority of respondents felt their organizations are much more effective in detecting and containing cyberattacks than in preventing those attacks,” the report said. While more secure software isn’t a panacea, if financial services firms (as this report and our previous post found) focused more on software security and secure software configuration systems would be more resilient from attack.