One-third of software used
by banks has high-risk flaws
eracode, a leading provider
of application security testing
(AST) solutions, has released
findings from its State of Software
Security (SOSS) Volume 10 report
showing the finance industry fixes 76%
of flaws in its software, well above the
average 56% across all industries.
V
Yet the report also found financial
services institutions were the second
slowest industry, only behind healthcare,
to remediate software flaws, taking over
two months (67 days) on average.
The report studied levels of security
debt, defined as the amount of
unaddressed flaws that accumulate in
software over time, across the financial
services, government and education,
healthcare, infrastructure, manufacturing,
retail and technology industries.
Paul Farrington, Chief Technology
Officer, EMEA at Veracode, said:
“The financial services sector in
particular has undergone rapid Digital
Transformation, leaving many large
financial institutions with a hotchpotch
of new and legacy systems. This has
led to a vast amount of security issues,
which is particularly precarious in such
a heavily regulated industry that stores
a wealth of personal data.
“In saying that, the report also shows
there is still a way to go in reducing
the growing security debt that financial
www.intelligentciso.com
|
Issue 21
While the financial services industry
does not carry the highest amount of
security debt, one third of the software
(36%) used by financial firms has high-
risk flaws. Information leakage (66%),
cryptographic issues (61%) and code
quality (58%) are the most prevalent flaw
categories found within the sector.
Over the last two years, Veracode’s
research into the state of software
security has uncovered strong evidence
that practices in keeping with a
DevSecOps approach yield
substantial benefits to development
teams that employ them. In Volume 9,
the team discovered that the most active
DevSecOps programmes fix flaws
more than 11 times faster than the
typical organisation.
The most recent SOSS, which analysed
more than 85,000 applications across
more than 2,300 companies worldwide,
found that teams scanning applications
most frequently carry about five times
less security debt than infrequent
scanners. But organisations that only
focus on fixing new findings while
neglecting ageing flaws can expect
increasing security debt. u
61
“To overcome these challenges, financial
services organisations have had to
up-skill quickly and over the past 10
years we’ve seen a vast improvement in
the overall state of application security
within the industry.
organisations carry. Like credit card
debt, even carrying a small balance
forward on a recurring basis can quickly
leave you in the hole.”