Why the Finance Sector Grapples with Software Security Debt

The financial services sector finds itself at the epicentre of a growing cybersecurity challenge amongst digital evolution.

As financial institutions worldwide accelerate their digital transformation efforts to meet evolving customer demands and maintain competitiveness, they face an ever-expanding array of sophisticated cyber threats.

The rise of AI-powered attacks, coupled with a complex and rapidly adapting regulatory scene, has created a perfect storm of cybersecurity challenges for the global financial industry.

Addressing these challenges, recent research from Veracode, a leading provider of application security solutions, has shed light on a critical issue plaguing the financial services sector: the accumulation of security debt.

This term refers to long-standing security flaws in software applications that remain unaddressed for extended periods, potentially exposing organisations to significant risks.

Security debt pervasive in financial sector

.The Veracode report, which analysed data from over a million applications across various industries, reveals a concerning trend in the financial services sector.

According to Veracode, 76% of financial organisations carry security debt, defined as flaws that remain unfixed for longer than a year.

Even more alarming is the finding that 50% of these organisations harbour critical security debt – high-severity flaws that pose substantial risks to applications and require immediate attention.

While the financial sector performs slightly better than the cross-industry average, with 40% of applications carrying security debt compared to 42% across all sectors, the report indicates that financial applications tend to accumulate more security debt over time.

This trend is particularly worrying given the sensitive nature of financial data and the potential consequences of a breach in the sector.

Chris Wysopal, Chief Security Evangelist at Veracode, emphasised the gravity of the situation: “As AI-driven cyber-attacks continue to grow in strength and numbers, and organisations struggle to keep up with evolving regulations due to existing security debt, the current landscape allows threat actors to exploit vulnerabilities at an alarming, unprecedented rate."

“The high rate of security debt in the financial sector poses significant risks to organisations and their customers if not addressed quickly.”

First-party vs third-party code vulnerabilities

Veracode also highlights the need for financial services organisations to address security debt in both first-party and third-party code.

While 84% of all security debt affects first-party code, the majority (798.6%) of critical security debt stems from third-party dependencies.

This finding underscores the importance of comprehensive security measures that encompass not only an organisation's proprietary code but also the open-source and third-party components integrated into their applications.

The study also revealed significant disparities in remediation timelines between first-party and third-party flaws.

Financial organisations typically fix half of first-party flaws within nine months, compared to 13 months for third-party flaws.

Additionally, 52% of third-party flaws turn into security debt, while 44% of first-party flaws do so.

These findings highlight the challenges financial institutions face in managing and updating third-party dependencies, which often require coordination with external developers or vendors.

The prevalence of security debt in third-party code emphasises the importance of initiatives such as the Cybersecurity and Infrastructure Security Agency's Open Source Software Security Roadmap and Secure by Design Pledge.

These programmes aim to enhance the security of the open-source ecosystem, which plays a crucial role in modern software development across industries, including finance.

Implications for the global financial system

The accumulation of security debt in the financial sector has far-reaching implications for the global economy.

As financial institutions become increasingly interconnected and reliant on digital systems, vulnerabilities in one organisation's software can potentially cascade through the entire financial ecosystem.

This interconnectedness amplifies the importance of addressing security debt promptly and comprehensively.

Moreover, the financial sector's critical role in the global economy makes it an attractive target for cybercriminals and state-sponsored threat actors.

The persistence of security debt provides these malicious actors with potential entry points to exploit, potentially leading to data breaches, financial fraud, or disruptions to critical financial services.

Veracode also emphasises the need for financial institutions to prioritise their remediation efforts.

By focusing on the most critical vulnerabilities first, organisations can significantly reduce their risk exposure even if they cannot immediately address all security debt.

This approach aligns with the growing emphasis on risk-based cybersecurity strategies in the financial sector.

Chris concluded with a call to action for the industry: "It has never been more important for the financial services sector to stay ahead of evolving cybersecurity threats, particularly with increasingly sophisticated AI-driven attacks threatening the security of their assets.

“I urge financial institutions to prioritise timely security debt reduction by adopting AI-powered remediation and Application Security Posture Management tools which can detect, prioritise and fix vulnerabilities within seconds."

Make sure you check out the latest edition of Technology Magazine and also sign up to our global conference series - Tech & AI LIVE 2024

Technology Magazine is a BizClik brand