Financial Sector Grapples with Rising Security Debt
The financial services sector finds itself at the epicentre of a growing cybersecurity challenge amidst digital evolution. As organisations globally hasten their digital transformation initiatives, they encounter a burgeoning spectrum of sophisticated cyber threats.
The emergence of AI-powered attacks, combined with a complex, swiftly changing regulatory environment, creates a perfect storm of cybersecurity challenges for the global financial industry. A significant revelation from Veracode, a leading provider of application security solutions, underscores a pressing issue: the accumulation of security debt across the sector.
This term, 'security debt', refers to long-standing security flaws in software applications that remain unaddressed for extended periods, potentially exposing organisations to significant risks.
Security Debt Pervades Financial Sector
The Veracode report, synthesising data from over a million applications spanning various industries, highlights a disturbing trend within the financial services sector. It finds that 76% of financial organisations carry security debt—flaws not fixed within a year. Alarmingly, 50% of these debts are critical, denoting high-severity flaws that substantially risk applications and necessitate urgent resolution.
"The high rate of security debt in the financial sector poses significant risks to organisations and their customers if not addressed quickly.”
The financial sector, while slightly outperforming the cross-industry average—40% of applications have security debt as against 42% industry-wide—tends to accrue more security debt over time. This is especially concerning due to the sensitive nature of financial data and the severe implications a breach could have in this field.
Chris Wysopal, Chief Security Evangelist at Veracode, highlights the severe implications: "As AI-driven cyber-attacks continue to grow in strength and numbers, and organisations struggle to keep up with evolving regulations due to existing security debt, the current landscape allows threat actors to exploit vulnerabilities at an alarming, unprecedented rate."
"The high rate of security debt in the financial sector poses significant risks to organisations and their customers if not addressed quickly."
Addressing First-Party and Third-Party Code Vulnerabilities
Veracode's findings stress the necessity for financial service entities to handle security flaws in both first-party and third-party code. While 84% of all security debt affects first-party code, a staggering majority of critical security debt arises from third-party dependencies. This emphasises the need for comprehensive security strategies that cover not just an organisation’s proprietary code but also the open-source and third-party components integrated into their applications.
The disparity in remediation timelines between first-party and third-party flaws is noteworthy. Financial organisations typically amend half of the first-party flaws within nine months, in contrast to 13 months for third-party flaws. Additionally, 52% of third-party flaws translate into security debt, compared to 44% of first-party flaws.
Efforts such as the Cybersecurity and Infrastructure Security Agency’s Open Source Software Security Roadmap and Secure by Design Pledge are vital. These initiatives aim to bolster the security of the open-source ecosystem, which is instrumental in modern software development across industries, including finance.
Global Financial System at Risk
- 76.2% of Financial Services have security debt
- 69.6% of others have security debt
- 49.8% of financial services have critical security debt
- 45.0% of others have critical security debt
The incessant accumulation of security debt within the financial sector poses severe consequences for the global economy. As financial institutions increasingly interconnect and depend on digital systems, a vulnerability in one system could cascade through the entire financial ecosystem.
This interconnectedness stresses the necessity of prompt and comprehensive attention to security debt. Moreover, due to the critical role the financial sector plays globally, it becomes a prime target for cybercriminals and state-sponsored threats, where unresolved security debt offers potential entry points for attacks that could lead to significant data breaches, financial fraud, or disruptions in critical financial services.
Veracode also underscores the imperative for financial institutions to prioritise their remediation efforts. By focusing on rectifying the most critical vulnerabilities first, organisations can substantially mitigate their risk exposure, even if they cannot immediately address all security debt.
Chris Wysopal concludes with a stark reminder and call to action for the industry: "It has never been more important for the financial services sector to stay ahead of evolving cybersecurity threats, particularly with increasingly sophisticated AI-driven attacks threatening the security of their assets."
"I urge financial institutions to prioritise timely security debt reduction by adopting AI-powered remediation and Application Security Posture Management tools which can detect, prioritise and fix vulnerabilities within seconds."
**************
Make sure you check out the latest edition of FinTech Magazine and also sign up to our global conference series – FinTech LIVE 2024.
**************
FinTech Magazine is a BizClik brand.
