As organisations work to transform their application security (AppSec) practices and streamline their DevOps development model, they continue to struggle to implement tools and processes that can scale and keep pace.
As Adam Brown, managing security consultant, Synopsys Software Integrity Group reports, the complexities of managing and maintaining open source, and the adoption of cloud-native architectures and their associated microservices all increase the degree of difficulty.
Further, supply chain intricacies make it very difficult to get a full picture of an organisation’s risk profile. It’s no surprise that AppSec continues to be an increasingly complex challenge for organisations adopting modern development practices.
This is particularly true for the financial services industry (FSI), where the stakes are high. In 2019, the global financial services market was valued at a whopping $22 trillion (€18.65 trillion). Opportunities for exploit abound, and financial services firms are often high-profile targets.
In the shadow of unrelenting real-world challenges, these firms are often a first-choice target for attackers. During the first year of the COVID-19 pandemic, over 70% of financial services firms experienced a successful cyber-attack, and COVID-related business conditions were perceived as being to blame. In the event of a breach, companies must cover millions in losses. In 2019, the average cost per breach was $5.86 million (€4.97 million).
Problems that existed before COVID, like supply chain risk management, budgeting and resource constrains, and a lack of security training, have only worsened. This is the reality facing financial services firms.
There are many myths and misconceptions that linger in the financial services industry regarding application security. So we used the 2020 “Building Security in Maturity Model” (BSIMM) report research data to debunk and explain three of the biggest myths, in an effort to provide clarity and guidance. Regardless of your personal experiences and perception of these myths, there are concrete steps you can and should take to ensure your AppSec program is on track.
Myth 1: Financial services firms are secure because they must be
Overall, the perception of financial services is that the industry is secure. This is based on no evidence or data, but rather on the belief that as the gatekeepers of everyone’s sensitive data, it simply must be secure.
Because the industry is highly regulated, financial services firms tend to be very good at remaining compliant. This has helped lull security leaders and customers into a false sense of security. While an organisation may indeed gain short-term comfort from successfully meeting compliance requirements, long-term problems arise when organisations fail to scrutinise their security practices beyond compliance.
If you’re feeling ill-prepared to tackle the onslaught of security challenges in your firm, you’re not alone. Many organisations don’t have a firm grasp on what activities they need to be implementing beyond basic penetration testing.
Financial services firms are not so secure.
In a recent independent study commissioned by Synopsys with the Ponemon Institute, “The State of Software Security in the Financial Services Industry,” the findings highlight the misconception of FSI security. Ponemon discovered that 50% of financial services firms experienced data theft due to unsecure software.
This undoubtedly stems from the fact that only 34% of FSI software is tested (beyond penetration testing) for security vulnerabilities. And only 45% of financial services firms believe they have adequate security budget to address their risks, while 76% say it’s difficult to detect security vulnerabilities in financial software systems before going to market.
Myth 2: Financial software is different than other software (and therefore can’t change)
A lot of financial services firms still believe their software is inherently different from other types of software, and it’s therefore incapable of change. They believe they cannot afford to make important shifts toward DevOps, and place unwarranted trust in tried-and-true practices such as the waterfall methodology. The perception is that what has worked in the past will continue to work.
There are no special snowflakes.
The authors of the first BSIMM back in 2008 thought this too and anticipated needing two models, one for how banks write software and another for how tech firms do it. However, after interviewing the original nine participants of the first BSIMM and analysing the data, it was found that a single model applied to all organisations who develop software. Financial software is written, managed, and tested in the same manner as any other software. It is, after all, software.
Many financial services firms have a conservative attitude to adopting new processes, methodologies, technology and culture. Outdated development models inhibit development velocity and hinder go-to-market speeds. Organisations that refuse to adapt to the modern software landscape will fall behind if they have not already. New tech companies on the other hand are fast to adopt or started with new approaches.
Attracting top talent will also be a challenge for firms unwilling to modernise; developers are uninterested in working for organisations stuck in the past. The future success of your firm relies on a move to DevOps, which will help make your software better, your development faster, and your overhead lower.
Myth 3: You control everything that’s in your deployed software
Many financial services firms believe they have a good understanding of all the components and elements in their deployed software. But knowledge of everything in a software stack is not a complete picture of everything going into production not even close. Even larger financial services firms struggle with this misconception.
You have an incomplete picture.
Today, all financial services firms use some form of open source software, and it covers a broad range of AppSec activities and environments. From Docker and Kubernetes to supply chains, cloud deployments, and shared responsibility models, you need to understand all the code and every component in your environment. Mastery of exactly what you’re deploying and each of their respective security stances is critically important.
Financial institutions are often seen in a league of their own. As the bearers of a wealth of sensitive information, they are held to a higher standard than most. The pomp and circumstance that comes with this exceptionally regulated industry then creates the perception among the general public as well as those within it, that they are more secure, and possess technologies and software unique to other industries. However, the reality is that they are really no different from everyone else, though they do continue to represent high-profile targets.
Like any and all organisations, it is not enough to meet a compliance audit once a year and call it a day. Moreover, organisations worldwide are becoming increasingly sophisticated on a technical front and if they can make the shift to DevOps, so too can finance firms.
Last but not least, these institutions must recognise that they are very likely employing some form of open-source software, which requires their attention. If we can successfully bust these myths, we will all be one step closer to more secure AppSec practices within the industry.
The author is Adam Brown, managing security consultant, Synopsys Software Integrity Group.
Follow us and Comment on Twitter @TheEE_io