Application security not a priority for financial services institutions

Contrast Security announced the findings of a report based on a comprehensive survey of development, operations, and security professionals and executives at enterprise-level financial services institutions. The report explores the state of application security at these organizations, and the findings indicate that the security of these applications – that have access and control over consumers’ finances – is not a priority or major concern for most of them.

With most attacks on financial services institutions executed at the application layer at a time when customers demand more digital services, and customer-facing applications are developed in-house, application security is mission critical.

Methodologies like Agile and DevOps – and a growing use of open-source code and APIs – have accelerated the development process, enabling financial institutions to speed up digital transformation initiatives that had been planned for months or years in the future.

However, the financial services industry, including banking, insurance, and investment firms, has long been a target of cybercriminals, and this has only accelerated due to the COVID-19 pandemic.

Many organizations experiencing successful application exploits

When multiple serious vulnerabilities are present in an application, cybercriminals have many opportunities to mount a successful attack. 98% of respondents admit that they have experienced at least three successful application exploits in the past year that have caused an operational disruption and/or a data breach.

Astoundingly, 52% of organizations saw 10 or more successful attacks over 12 months. As a result, 99% of respondents in organizations with more than 15,000 employees peg the cost of each attack at $1 million or above.

The high rate of false positives combined with the lack of actionable information in scan reports creates a major time sink for both development and security teams.

81% of respondents say that their application security teams spend three or more hours per false positive to identify it as such. So when a legitimate vulnerability is identified, 72% of respondents said their organization’s application security team spends six or more hours to triage, diagnose, and prioritize remediation for the development team.

The baton then is passed to developers, who spend 10 or more hours per vulnerability to perform remediation and verification, according to 69% of respondents. With a scan report potentially containing hundreds of alerts, with a majority being false positives, these staff hours add up quickly for both the development and the security teams.

Application security budgets increasing, but with no strategy in place

Given application security is an increasing concern for enterprises, 75% of respondents report that their application security budget is increasing in 2021, and 24% say that increase is more than 15%. Despite this emphasis on application security, only 40% of organizations place direct responsibility for application security under the CISO. So while budgets are increasing at many organizations, some may not have a solid strategy in place to use those funds wisely. A crucial starting point will be to ensure security keeps up with the pace of development.

“It is clear that application security strategies have not matured at most of the financial services organizations represented in this survey,” said Jeff Williams, CTO at Contrast Security.

“The good news for institutions looking to build out their strategy is that implementing a modern application security platform can dramatically accelerate their program and produce real improvement quickly. Instrumentation-powered application security can provide continuous security testing at massive scale, providing highly accurate feedback to developers in real time, empowering them to find and fix their own vulnerabilities without direct help from application security specialists.”