Financial Sector Grapples with Rising Security Debt

Share
Veracode reports on the finance sector grappling with software security debt
The financial services sector faces urgent challenges as AI-driven attacks and regulations intensify

The financial services sector finds itself at the epicentre of a growing cybersecurity challenge amidst digital evolution. As organisations globally hasten their digital transformation initiatives, they encounter a burgeoning spectrum of sophisticated cyber threats.

The emergence of AI-powered attacks, combined with a complex, swiftly changing regulatory environment, creates a perfect storm of cybersecurity challenges for the global financial industry. A significant revelation from Veracode, a leading provider of application security solutions, underscores a pressing issue: the accumulation of security debt across the sector.

This term, 'security debt', refers to long-standing security flaws in software applications that remain unaddressed for extended periods, potentially exposing organisations to significant risks.

Security Debt Pervades Financial Sector

The Veracode report, synthesising data from over a million applications spanning various industries, highlights a disturbing trend within the financial services sector. It finds that 76% of financial organisations carry security debt—flaws not fixed within a year. Alarmingly, 50% of these debts are critical, denoting high-severity flaws that substantially risk applications and necessitate urgent resolution.

"The high rate of security debt in the financial sector poses significant risks to organisations and their customers if not addressed quickly.”

Chris Wysopal, Chief Security Evangelist at Veracode

The financial sector, while slightly outperforming the cross-industry average—40% of applications have security debt as against 42% industry-wide—tends to accrue more security debt over time. This is especially concerning due to the sensitive nature of financial data and the severe implications a breach could have in this field.

Chris Wysopal, Chief Security Evangelist at Veracode

Chris Wysopal, Chief Security Evangelist at Veracode, highlights the severe implications: "As AI-driven cyber-attacks continue to grow in strength and numbers, and organisations struggle to keep up with evolving regulations due to existing security debt, the current landscape allows threat actors to exploit vulnerabilities at an alarming, unprecedented rate."

"The high rate of security debt in the financial sector poses significant risks to organisations and their customers if not addressed quickly."

Addressing First-Party and Third-Party Code Vulnerabilities

Veracode's findings stress the necessity for financial service entities to handle security flaws in both first-party and third-party code. While 84% of all security debt affects first-party code, a staggering majority of critical security debt arises from third-party dependencies. This emphasises the need for comprehensive security strategies that cover not just an organisation’s proprietary code but also the open-source and third-party components integrated into their applications.

The disparity in remediation timelines between first-party and third-party flaws is noteworthy. Financial organisations typically amend half of the first-party flaws within nine months, in contrast to 13 months for third-party flaws. Additionally, 52% of third-party flaws translate into security debt, compared to 44% of first-party flaws.

Distribution of all flaws based on severity rating and security debt status (image credit: Veracode)

Efforts such as the Cybersecurity and Infrastructure Security Agency’s Open Source Software Security Roadmap and Secure by Design Pledge are vital. These initiatives aim to bolster the security of the open-source ecosystem, which is instrumental in modern software development across industries, including finance.

Global Financial System at Risk

Key facts from the report:
  • 76.2% of Financial Services have security debt
  • 69.6% of others have security debt
  • 49.8% of financial services have critical security debt
  • 45.0% of others have critical security debt

The incessant accumulation of security debt within the financial sector poses severe consequences for the global economy. As financial institutions increasingly interconnect and depend on digital systems, a vulnerability in one system could cascade through the entire financial ecosystem.

This interconnectedness stresses the necessity of prompt and comprehensive attention to security debt. Moreover, due to the critical role the financial sector plays globally, it becomes a prime target for cybercriminals and state-sponsored threats, where unresolved security debt offers potential entry points for attacks that could lead to significant data breaches, financial fraud, or disruptions in critical financial services.

Youtube Placeholder

Veracode also underscores the imperative for financial institutions to prioritise their remediation efforts. By focusing on rectifying the most critical vulnerabilities first, organisations can substantially mitigate their risk exposure, even if they cannot immediately address all security debt.

Chris Wysopal concludes with a stark reminder and call to action for the industry: "It has never been more important for the financial services sector to stay ahead of evolving cybersecurity threats, particularly with increasingly sophisticated AI-driven attacks threatening the security of their assets."

"I urge financial institutions to prioritise timely security debt reduction by adopting AI-powered remediation and Application Security Posture Management tools which can detect, prioritise and fix vulnerabilities within seconds."


**************

Make sure you check out the latest edition of FinTech Magazine and also sign up to our global conference series – FinTech LIVE 2024

**************

FinTech Magazine is a BizClik brand. ​​​​​​​

Share

Featured Articles

Worldpay Unveils Fraud Tool at Money20/20 with Capital One

Worldpay and Capital One Partnership set to dramatically reduce false declines through automated fraud detection programme

Standard Chartered Discusses Payments Vision at Money20/20

Standard Chartered’s Cash Sales Head of TMT & Fintech reveals how mobile-first strategies & cross-border innovations are reshaping financial services

GFT & Engine by Starling: Partnering for Banking Evolution

GFT and Engine by Starling unite to deliver cloud-native infrastructure, targeting established banks and new market entrants

Google Cloud Sets AI Agenda at Money20/20 with Vertex

Tech & AI

M20/20: Mastercard Maps Out Future of Payments Tech

Financial Services (FinServ)

LSEG Takes on Digital Identity at Money20/20

Fraud & ID Verification