By: Taylor Armerding, Security expert at Synopsys Integrity Group
The financial services industry is falling behind in cybersecurity. A new report shows where organizations should focus their software security efforts.
When it comes to “walking the talk,” a new survey of cybersecurity professionals in the financial services industry (FSI) finds there is more talking than walking. Organizations say they worry about software vulnerabilities from third parties. They also say cloud migration tools and blockchain tools are the technologies that pose the greatest cybersecurity risk for their industry. But they wish they had more money to devote to security. And finally, they admit that their current practices are not enough — not nearly enough.
The Ponemon Institute, commissioned by the Synopsys Cybersecurity Research Center (CyRC), surveyed more than 400 security practitioners within FSI about their cybersecurity practices. The report, The State of Software Security in the Financial Services Industry (SS-FSI), offers insights into what FSI organizations are doing to secure their software and systems—and where they need to focus their efforts.
Key findings on cybersecurity in financial services
- Most organizations use financial software and systems supplied by third parties.
- They also say they worry about security vulnerabilities in those products. But fewer than half require vendors to comply with cybersecurity requirements or to verify their security practices.
- A majority say they follow a published secure software development life cycle (SSDLC). But on average, FSI organizations test only a third of all financial software and technology for vulnerabilities.
For those that do testing, a majority rely on penetration testing and security patch management to secure their technology. While both these activities are useful, they are far less effective than finding and fixing vulnerabilities early and throughout the software development life cycle (SDLC) using the multiple testing tools now available.
A corollary is that most FSI organizations don’t assess the cybersecurity vulnerabilities of software until after its release. Less than half of respondents do those assessments during software design, development, and testing. So it should be no surprise that only 25% are confident that they can detect security vulnerabilities in their software and systems before release.
Few respondents said they use software composition analysis (SCA) to identify and resolve vulnerabilities in open source code. The majority lack any established process to keep an inventory of that code and manage it.
Most financial services organizations provide secure development training for their software developers. But only a small percentage (19%) make that training mandatory.
FSI organizations are more likely to assess the effectiveness of their security programs internally than to use external assessment tools such as the BSIMM (Building Security In Maturity Model) and SAMM (Software Assurance Maturity Model).
More than half acknowledge that sensitive customer information has been stolen from their organization at some point.
How to improve cybersecurity in financial services
It is not that organizations are ignoring risks. More than two-thirds (67%) reported that they have a cybersecurity program or team. But only 23% of financial services organizations said software security is one of the responsibilities of product development.z
And based on their responses, they would like to do more but feel constrained by money and talent. Only 45% said their budget is adequate to address cybersecurity risks, and only 38% said their organizations have the necessary cybersecurity skills.
As Anna Chiang, product marketing manager at Synopsys, observed of the findings, “Many FSI companies are mostly flying blind—too much of the testing is done after product releases, which exposes them to unnecessary risk.”
But they don’t have to fly blind. There are ways to improve cybersecurity for financial services even with tight budgets and limited talent. They include:
Demand better security from third parties
To address the risks of vulnerabilities in third-party code, organizations should set out requirements for their vendors. Vendors should test their software during development. They should demonstrate compliance with industry security standards. And they should incorporate an outside, independent measurement of their software security initiative (SSI) such as the BSIMM.
Use multiple testing tools
No single tool or test does it all. And patching software after its release is, as experts say, trying to “bolt security on.” A better way is to “build security in” during the SDLC.
Automated tools include static, interactive, and dynamic application security testing (SAST, IAST, and DAST, respectively). These tools help developers find and fix vulnerabilities more quickly at less cost.
Respondents are aware of the benefits of at least some of these tools. They rated DAST as one of the most effective ways to reduce cybersecurity risks.
Don’t neglect open-source
As any security expert will tell you, you can’t protect what you don’t know you have. And if you develop software, you’re using some open source components — with the benefits and risks that come with them. The 2019 Synopsys Open Source Security and Risk Analysis (OSSRA) report found that of the 1,200+ codebases reviewed by the Synopsys Black Duck Audit Services team in 2018, 60% had at least one open-source vulnerability. More than 40% had high-risk vulnerabilities, and 68% had components with license conflicts.
Open source, while free, also comes with license risks. Organizations must review incoming third-party code (as well as code developed internally) for both security and legal risks. A comprehensive software composition analysis (SCA) solution can help financial services organizations manage open-source use across the software supply chain and throughout the application life cycle.
Other cybersecurity strategies
Manual planning and testing activities, such as secure architecture design, requirements definitions, threat modeling, code review, and fuzz testing, will help ensure software security at every phase of the financial services SDLC.
Don’t have the budget for internal security testing? Try outsourcing activities like pen testing and DAST to organizations that provide such services on demand.
Most organizations know they could do better and want to do better. This report doesn’t single out individual FSI organizations. Instead, it shows them as an industry where they need to do better.
And it offers specific recommendations on how to do better.