Don’t let myths undermine the security of financial software. We examine the seven myths and misconceptions found in FSI application security.
It’s obvious why cyber criminals are drawn to the financial services industry (FSI). It’s the Willie Sutton logic updated: he robbed banks because “that’s where the money is.” But today it’s not just banks. Financial services also include credit unions, investment and insurance companies, credit card companies, mortgage lenders, private equity firms, and venture capital organizations.
And while that’s obviously not the only place the money is in a modern economy, there’s a staggering amount of it in the FSI—an estimated $22 trillion worldwide, which is more than three times the estimated $6.55 trillion that the U.S. federal government spent last year. The FSI is also an almost unlimited attack surface. Just about everybody in modern life has a connection to it, and increasingly that connection is online. FSI organizations all have websites and mobile apps. You’ve seen the ads—it’s “banking reimagined.”
But all that money and all those attack points mean the need for online security is greater than ever. And unfortunately, how best to do that is not so obvious.
A new white paper from the Synopsys Software Integrity Group, “Application Security in the Financial Services Industry: Myths vs. Reality,” aims to help shed some light on the issue by identifying, explaining, and debunking the most significant of those myths.
The paper is based on the findings of the 2020 “Building Security In Maturity Model” (BSIMM) report, which presents data on the software security initiatives of 130 firms, primarily in nine verticals. Of that number, 42 are financial firms and another 21 are FinTech, which are effectively independent software vendors specifically for financial services.
The white paper identifies seven myths about the FSI that are both common and most likely to put both individuals and organizations at risk.
While that probably ought to be true, the perception that the FSI is secure because it handles so much sensitive data is wrong. The industry is heavily regulated and virtually all firms meet compliance requirements, but one of the ongoing mantras at security conferences is “compliance is not security.” In the case of the FSI, the high rate of compliance “has helped lull security leaders and customers into a false sense of security,” according to the paper.
The result is predictable. A recent independent study commissioned by Synopsys with the Ponemon Institute titled “The State of Software Security in the Financial Services Industry” found that 50% of FSI firms suffered data theft due to unsecure software.
In this case, the misperception is that the development of financial software can’t evolve toward DevOps, as is happening in other industries.
But as the report puts it, “there are no special snowflakes.” Just because the purpose of financial software is unique doesn’t mean it’s written, managed, and tested any differently than software written for any other purpose.
“Outdated development models inhibit development velocity and hinder go-to-market speeds. Organizations that refuse to adapt to the modern software landscape will fall behind, if they haven’t already,” the “Application Security in the Financial Services Industry: Myths vs. Reality” white paper said.
Yes, small banks tend to buy software while the big ones more often build their own. But the security of software, bought or built, is the responsibility of the user, not the vendor. Even the big firms that build their own software use commercial or open source components.
And when it comes to the importance of security, size doesn’t matter. Attackers are opportunistic and target systems using automated tools. If you’re vulnerable, they don’t care what size you are.
Yet the persistence of this myth is evident in the statistics. The Ponemon Institute found that only 43% of financial services firms require third parties to adhere to strict cyber security requirements or verify the security practices of third parties.
These days, even if a company knows everything in a software stack, it still might not have a complete picture of everything going into production. Open source software is a part of virtually every codebase, and it covers a broad range of AppSec activities and environments, from Docker and Kubernetes to supply chains, cloud deployments and shared responsibility models. Organizations need to understand them all.
The cloud doesn’t do security for you. The 2019 Capital One breach, enabled by the company’s misplaced trust in Amazon Web Services, was a stark illustration of that.
While cloud providers work hard to secure users’ deployments, security teams must still deploy secure containers into their cloud.
As BSIMM11 puts it, “cloud providers are 100% responsible for providing security software for organizations to use, but the organizations are 100% responsible for software security.”
Penetration or pen testing is a critical component of application security but it’s not enough—not nearly enough. Synopsys has documented that 50% of defects found in software are architectural flaws, which pen testing can’t find.
Security has to be built in throughout the software development life cycle, which begins with architecture risk analysis or threat modeling to identify those flaws.
That may be true for a select few, but not for most software developers. And depending on the aptitude of developers and how much time the learning curve takes, an FSI organization could be at serious risk while that learning does or doesn’t take place.
The reality is, if developers are going to become AppSec experts, they need training as well as experience. The Ponemon Institute study found that isn’t happening most of the time. Only 38% of FSI firms have employees with the cyber security skills required to secure their software. And 25% of employees have no security training at all, yet they’re still tasked with AppSec responsibilities.
Obviously, clinging to myths can put organizations at risk of becoming the next Capital One. But Synopsys offers two powerful ways to replace those myths with reality:
Security is a journey, not an event. But Synopsys can help organizations reach the right destination: building trustworthy software.
Taylor Armerding is an award-winning journalist who left the declining field of mainstream newspapers in 2011 to write in the explosively expanding field of information security. He has previously written for CSO Online and the Sophos blog Naked Security. When he’s not writing he hikes, bikes, golfs, and plays bluegrass music.