Veracode’s latest State of Software Security report revealed financial services is one of the slowest industries when it comes to addressing common vulnerabilities found in software. The global report found financial services companies took 29 days to address a quarter of their vulnerabilities in coding—and over a year—573 days—to remediate all open vulnerabilities. It also ranked as second to last of all other sectors in terms of speed to complete flaw remediation.
This is worrying given the IT outages occurring within the global financial services industry.
In spite of this, Veracode’s report did reveal that the largest population of applications scanned came from the financial vertical. While financial organisations tend to have the reputation of having some of the most mature overall cybersecurity practices, Veracode’s data shows they struggle like the rest to stay on top of application security. The industry ranked second to last in the major verticals for latest scan OWASP pass rate, and based on the flaw persistence analysis chart, it is leaving coding flaws to linger longer than other industries.
Even as it is prolific at testing, the financial sector tests almost as many apps as the technology sector, the sector in general is still slow in responding to responding to open vulnerabilities. Additionally, the banking sector addresses the first half of its open flaws slowly, but it starts to pick up speed once it passes the halfway point.
“Since financial institutions and banks hold highly valuable information and critical assets, they will continue to be a target of cybercriminals and malicious hacking,” said Paul Farrington, Director of EMEA and APJ at Veracode. “Our data shows the financial services sector scanning a huge volume of applications and finding flaws that need fixing. While that is encouraging, the next frontier is achieving greater speed in fixing those flaws because speed matters. The speed at which organisations fix flaws they discover in their code directly mirrors the level of risk incurred by applications. The sector should consider all dimensions of risk to prioritise which flaws to fix first.”
It’s a tough job for banks to coordinate cybersecurity awareness so it’s at the forefront of employee’s minds. The sluggish speed to which banks initially respond to vulnerabilities could be an indication of bureaucracy that may impede initial progress, but which is likely overcome once security teams and developers collaborate more to cut through the red tape.