Financial app sec practice flaws revealed
Metrics and third-party controls are often not up to scratch in even well-funded, highly regulated sectors, highlighting scale of the challenge for others
A new benchmarking study by Security Compass digs deep into the application security practices and tools used by financial institutions, and finds that although these well-funded security programs have a wealth of advanced tools in play there are interesting gaps in application security practices.
Firstly, the good news is that three out of four respondents report that application security is a critical or high priority. And nearly all employ at least one kind of framework, standard, or maturity model to structure their application security program, with Building Security In Maturity Model (BSIMM) as the most popular, with an adoption rate of 89 per cent.
Web application attacks continue to be the largest source of incidents for financial institutions as per a 2016 Verizon Data Breach Investigations Report. This fact is probably why the Application Security Market has recently been projected to grow to US$7.544bn by 2021, from US$3.151bn in 2016 at a CAGR of 19.08 per cent, according to Research and Markets. The analyst firm ascribed this growth to factors such as stringent regulations, increasing security breaches targeting business applications, and rapid deployment of the web- and mobile-based applications, which it believes are driving the demand for application security solutions.
The benchmarking study found that while most financial institutions were conducting sophisticated appsec programs, many of the companies fell down on the types of metrics and key performance indicators (KPIs) used to track the effectiveness of policies.
For example, the most common KPI used by the respondents was a simple vulnerability count, typically totalled up based on statistical analysis security testing and dynamic analysis security testing, a metric used by 77 per cent of programs. According to the Security Compass report, this over-reliance on vulnerability counts could potentially be a serious issue, as scanning by SAST and DAST tools alone probably miss about 46 per cent of application-level risks.
Additionally, a mere 46 per cent of organizations measure how long it takes to remediate vulnerabilities, and just 38 per cent of organizations track whether developer teams are following policies on which security tools to use, and only 15 per cent measure completion of security requirements.
Rather brilliantly, a hard core 15 per cent of organizations don't track the effectiveness of their appsec programs. The majority of survey participants use at least some third-party software (58 per cent), but less than half of organizations require that their vendors have a secure software development lifecycle or application security policy. Only 38 per cent of organizations were able to perform static or dynamic testing.
Ilia Kolochenko, CEO of High-Tech Bridge commented: “Gartner highlighted in its Hype Cycle for Application Security 2016 that applications are the main source of data exfiltration, however companies still tend to underestimate the risks related to web applications, and consequently put their customers at huge risk.
Some large companies, handling and processing personal data, still fail to respect and even intentionally neglect the basics of information security. Despite numerous reports on increasing cybersecurity spending during the last few years, many companies do spend more, but aren’t becoming more secure. A holistic risk assessment, comprehensive asset inventory and continuous security monitoring are often omitted, even though they are probably the most important parts of information security strategy and management.”
A key challenge highlighted by all respondents while rolling out an application security program was that development teams were too busy to perform application security activities. An enormous 86 per cent of respondents across all industries reported the same challenge. Internal resistance to the program was often high, stemming from a lack of education as to why application security is important, which 46 per cent cited as a challenge. This in turn hindered performing application security activities at the grassroots level, a challenge that the same proportion (46 per cent) mentioned.
Overall, the survey telegraphs the scale of the overall application security task facing all sectors. Given the intensive regulation faced by the financial sector, and the exponential rise in attacks on these companies, it’s clear that enterprises in less well funded verticals will be playing catchup. On the bright side, education, operational culture and security training all play a disproportionately key part compared to simple budget, as the Financial Conduct Authority told the city late in 2016:
“Most attacks you have read about were caused by basic failings – you can trace the majority back to: poor perimeter defences, unpatched, or end-of-life systems, or just a plain lack of security awareness within an organisation. So we strongly encourage firms to evolve and instil within them a holistic ‘security culture’ – covering not just technology, but people and processes too.”