Banks among slowest to repair software vulnerabilities

The State of Software Security (SOSS) report, published by application security firm VA Veracode, revealed that the financial services are one of the slowest sectors to effectively repair common vulnerabilities in software.

The global report discovered that financial service companies took 29 days to address a quarter of their vulnerabilities in coding – and over a year – 573 days – to remediate all open vulnerabilities.

Their inability to quickly respond to vulnerabilities is leaving banks’ customers open to more cyber-attacks. Moreover, a notable 67% of current applications used by banks are at risk from information leakage attacks, which would violate EU GDPR laws.

Software vulnerabilities

According to research from the NCC group in 2017, software vulnerabilities in the financial sector had increased by over 400% since 2013. The company found out that the number of software vulnerabilities had increased over the four years, increasing from an average per organisation of 217 in 2013 to 910 in 2016.

The financial sector tends to have a reputation of having some of the most mature cybersecurity practices.

Despite this, the financial industry is still slow to repair open code vulnerabilities.

“The industry is ranked second to last in major verticals for “latest scan OWASP pass rate, and based on the flaw persistence analysis chart, it is leaving code vulnerabilities to linger longer than other industries,” the Veracode report reads.

“Sluggish speed” to respond to vulnerabilities

“Since financial institutions and banks hold highly valuable information and critical assets, they will continue to be a target of cybercriminals and malicious hacking,” said Paul Farrington, director of EMEA and APJ at Veracode.
“Our data shows the financial services sector scanning a huge volume of applications and finding flaws that need fixing. While that is encouraging, the next frontier is achieving greater speed in fixing those flaws because speed matters. The speed at which organisations fix flaws they discover in their code directly mirrors the level of risk incurred by applications. The sector should consider all dimensions of risk to prioritise which flaws to fix first.”

Related Posts