The financial services industry is falling behind in cyber security. A new report shows where organizations should focus their software security efforts.
When it comes to “walking the talk,” a new survey of cyber security professionals in the financial services industry (FSI) finds there is more talking than walking. Organizations say they worry about software vulnerabilities from third parties. They also say cloud migration tools and blockchain tools are the technologies that pose the greatest cyber security risk for their industry. But they wish they had more money to devote to security. And finally, they admit that their current practices are not enough—not nearly enough.
The Ponemon Institute, commissioned by the Synopsys Cybersecurity Research Center (CyRC), surveyed more than 400 security practitioners within FSI about their cyber security practices. The report, The State of Software Security in the Financial Services Industry (SS-FSI), offers insights into what FSI organizations are doing to secure their software and systems—and where they need to focus their efforts.
It is not that organizations are ignoring risks. More than two-thirds (67%) reported that they have a cyber security program or team. But only 23% of financial services organizations said software security is one of the responsibilities of product development.
And based on their responses, they would like to do more but feel constrained by money and talent. Only 45% said their budget is adequate to address cyber security risks, and only 38% said their organizations have the necessary cyber security skills.
As Anna Chiang, product marketing manager at Synopsys, observed of the findings, “Many FSI companies are mostly flying blind—too much of the testing is done after product releases, which exposes them to unnecessary risk.”
But they don’t have to fly blind. There are ways to improve cyber security for financial services even with tight budgets and limited talent. They include:
To address the risks of vulnerabilities in third-party code, organizations should set out requirements for their vendors. Vendors should test their software during development. They should demonstrate compliance with industry security standards. And they should incorporate an outside, independent measurement of their software security initiative (SSI) such as the BSIMM.
No single tool or test does it all. And patching software after its release is, as experts say, trying to “bolt security on.” A better way is to “build security in” during the SDLC.
Automated tools include static, interactive, and dynamic application security testing (SAST, IAST, and DAST, respectively). These tools help developers find and fix vulnerabilities more quickly at less cost.
Respondents are aware of the benefits of at least some of these tools. They rated DAST as one of the most effective ways to reduce cyber security risks.
As any security expert will tell you, you can’t protect what you don’t know you have. And if you develop software, you’re using some open source components—with the benefits and risks that come with them. The 2019 Synopsys Open Source Security and Risk Analysis (OSSRA) report found that of the 1,200+ codebases reviewed by the Synopsys Black Duck Audit Services team in 2018, 60% had at least one open source vulnerability. More than 40% had high-risk vulnerabilities, and 68% had components with license conflicts.
Open source, while free, also comes with license risks. Organizations must review incoming third-party code (as well as code developed internally) for both security and legal risks. A comprehensive software composition analysis (SCA) solution can help financial services organizations manage open source use across the software supply chain and throughout the application life cycle.
Manual planning and testing activities, such as secure architecture design, requirements definitions, threat modeling, code review, and fuzz testing, will help ensure software security at every phase of the financial services SDLC.
Don’t have the budget for internal security testing? Try outsourcing activities like pen testing and DAST to organizations that provide such services on demand.
Most organizations know they could do better and want to do better. This report doesn’t single out individual FSI organizations. Instead, it shows them as an industry where they need to do better.
And it offers specific recommendations on how to do better.