The financial industry’s digital transformation is highly reliant on applications, just like the rest of the software development ecosystem. This requires everyone involved to invest in application security management as part of the effort to protect their data and systems.
According to Boston Consulting Group research, financial service firms experience up to 300 times as many cyber attacks per year compared to companies in other industries.
VMWare Carbon Black’s most recent ‘Modern Bank Heists 3.0’ research report also provides important insights based on a survey conducted with 25 security leaders from top financial institutions. The VMWare Carbon Black report states that 80% of participants reported an increase in cyberattacks over the past 12 months, a 13% increase from 2019. In addition, the report revealed that from February to April 2020, amid the COVID-19 surge, cyberattacks against the financial sector increased by 238%.
The VMWare Carbon Black research reveals that 64% of participants said cybercriminals have become more sophisticated, leveraging highly targeted social engineering attacks and advanced TTPs for hiding malicious activity. These hackers exploit weaknesses in people, processes, and technology to gain a foothold and persist in the network in order to transfer funds and exfiltrate sensitive data.
As cybercriminals find new ways to attack, breach, and exploit organizations, cyber threat patterns evolve and become more sophisticated. Financial organizations need solutions that assess and manage security vulnerabilities and their vendors’ vulnerabilities in real time to ensure their safety as well as their reputation.
The AppSec challenges facing financial institutions today include regulation that is increasingly vigilant in cyber-security measures, gaining customer trust in an age when it seems all of our private details are online always, and securing the many applications that their digital ecosystem relies on.
Following is our breakdown of the top three AppSec challenges that we think financial institutions should address head-on, yesterday.
Financial institutions are a highly regulated and closely monitored bunch. Processes, systems, and applications need to be managed, documented, and reported regularly, leaving little room for error.
Regulations and directives like HIPAA and the California Consumer Privacy Act in the US, and the Network and Information Security Directive and GDPR in the EU are particularly stringent regarding records containing private data. In addition, PCI-DSS (Payment Card Industry Data Security Standard) compliance is another important regulatory issue to address for any organization that accepts, processes, stores or transmits credit card information to maintain a secure environment.
Regulation also applies to third-party components. Financial institutions are held accountable and need to ensure that their software suppliers adhere to compliance and regulatory requirements. This means that financial organizations need to ensure that their offerings are well-managed and comprehensively documented. This affects all aspects of the DevSecOps pipeline – development, release, deployment, and operations processes.
Innovation and time to market are essential to all successful software offerings. For financial services institutions to remain competitive and to maintain innovation in their solutions, they also need to ensure that their offerings are secure and dependable.
Customers and end-users are becoming increasingly aware of the risks of allowing companies to store their personal data and credentials, and companies in the financial services industry need to assure customers that they are worthy of their trust.
A breach can lead to a rapid loss of trust from consumers, leading to a high attrition rate that can wreck a company’s reputation.
In the highly regulated financial industry, technologies are increasingly reliant on open source components. As open source reshapes both our development processes and our applications and products, we open the door to exciting new opportunities but also to a new set of security risks.
Recent vulnerabilities in open source components raised awareness of the need to monitor open source components used in financial products as part of an organization’s application security strategy.
The founding of organizations like The Fintech Open Source Foundation (FINOS) a nonprofit founded by tier one firms including Deutsche Bank, Bank of America, J.P. Morgan, Credit Suisse, Citi, and Morgan Stanley dedicated to building an open source community and development ecosystem to foster innovation in financial services, shows us that the financial industry is making an effort to embrace third-party and open source components.
In order to ensure that adopting innovative technologies doesn’t come at the price of security, FINOS partnered with Mend to act as a gatekeeper for their open source ecosystem, automatically enforcing the organization’s security policies. According to Maurizio Pillitu, the FINOS’s Director of DevOps, who spoke to us for our case study about the partnership, implementing automatic security management throughout the development lifecycle has resulted in significant buy-in from the financial industry. He cited their extensive list of platinum members and the growing number of organizations that are signing the contributor license agreements that allow them to take part in the initiative.
Implementing continuous management and reporting of the open source components being used throughout the software development lifecycle helps financial institutions maintain their competitive edge and stay secure without slowing down development or affecting quality with outdated methods like manual code scanning.
These days it seems we are continually oscillating between exciting and disruptive technological innovation and the unexpected and unmeasurable risks that they bring.
In order to stay ahead in the competitive financial industry landscape, playing it safe can feel like an unattainable option. That said, as we learn about the risks that we face and assess our challenges, we can leverage technology to automate important security and compliance processes while staying ahead of the game.
Financial institutions that ensure compliance with industry security standards and implement the DevSecOps tools and policies to stay one step ahead of the hackers will succeed in earning and maintaining customer trust while driving innovation in the financial industry.