By Jeff Domansky, June 2, 2021
Two things jump out on first reading of Contrast Security’s 2021 State of Application Security in Financial Services Report.
First, the financial services industry leaders surveyed are big organizations. Nearly two-thirds (66%) had more than 2,000 software developers and engineers in their companies, and 52% had more than 50 employees solely dedicated to application security.
Second, despite their size, expertise, and financial resources, they remain woefully unprepared when it comes to application security on behalf of their customers. Just ask Klarna how things are going days after their massive mobile app security fail.
“It is clear that application security strategies have not matured at most of the financial services organizations represented in this survey,” said Jeff Williams, CTO, and co-founder at Contrast Security.
We interviewed Williams to understand why the report shows the security of these applications is not a priority for the financial industry leaders surveyed.
Security risk is everywhere
While there are always new risks emerging, Williams identified the most common security challenges faced by financial institutions.
“For a very long time, the biggest risk has been the overwhelming number of serious vulnerabilities in their web applications and web APIs. It’s been the leading cause of breaches for many years,” he said, referring to Verizon DBIR data.
The second leading risk is the lack of runtime protection. Most organizations have no idea whether they are being attacked, much less who is attacking, what attack vectors they’re using, and what systems are under attack.
“Runtime protection not only gives them this visibility but can also prevent vulnerabilities from being exploited. It is literally insane to put a server on the internet without runtime protection,” Williams explained.
The third risk is the use of open-source software, popular with agile developers and lean organizations or startups with demands for new digital apps, tight deadlines, and budget pressures to complete projects faster.
“It’s not that open-source libraries are any more or less full of vulnerabilities than code you write yourself. It’s that you must keep them up to date. Security researchers often find vulnerabilities in OSS and disclose them. Almost instantly, hackers start scouring the internet to see if any companies are vulnerable. That’s what happened to Equifax and other companies,” he said, describing recent high-profile security breaches.
Lack of preparedness and priorities
The issue of why financial institutions are so unprepared and fail to prioritize security is a little harder to explain.
Contrast Security revealed several eye-opening insights on financial institutions’ app security in its report:
- Only 33% of organizations can track and report all remediated vulnerabilities.
- Only 15% say their application security tools are fully integrated with their development tools.
- 67% have 20+ serious vulnerabilities per application in development
- 37% have no knowledge of open-source licensing risk.
This looks like a massive disconnect between development and security teams.
“This is like asking car manufacturers in the ’70s why they were so unprepared to build safer cars. They clearly had the capability, but the market didn’t demand it. It took decades of evolution, involving disasters, regulation, competition, new technologies, protests, etc., for that market to evolve,” Williams said.
“I suspect that’s what it’s going to take for cybersecurity as well. It’s inevitable, but big changes take time. What is clear, however, is that the current level of insecurity is unsustainable. You could tell a similar story about pollution,” he added.
Klarna takes reputation hit
A combination of these factors may have played a role in Klarna’s massive mobile app meltdown days ago.
On its website, Klarna says, “Your website is your brand, your storefront, and the first contact with customers. It is your identity. If it is not secure, business relationships can be compromised, and a single security breach can be a death-knell for your business.”
Unfortunately, Klarna didn’t follow its own advice when introducing the recent mobile app update that collapsed services like a house of cards.
“I’ve worked on several instances of this type of problem in the past. Authentication and authorization almost always involve custom software built by teams specifically for each application. Getting this code correct is extremely difficult, and therefore there is an enormous opportunity for mistakes,” Williams warns.
A recent Checkpoint Research report corroborates the impact of leading mobile app security failure. Mobile app developers’ misconfiguration of third-party services exposed emails, passwords, names, and other personal data for more than 100 million users.
The good news for institutions looking to build out their strategy is that implementing a modern application security platform can dramatically accelerate their program and produce real improvement quickly.
“Instrumentation-powered application security can provide continuous security testing at massive scale, providing highly accurate feedback to developers in real-time, empowering them to find and fix their own vulnerabilities without direct help from application security specialists,” Williams concluded.
Security solutions are available
Fortunately, new security solutions are evolving quickly as new threats develop. Williams reviewed how “scan reports” and alerts operate and what they provide for financial institutions.
“Imagine thousands of web applications. Some are on the internet, and you might use them for online banking or managing investments,” he said. “The majority are only for employees, and they manage all the workflows of the business. These apps are huge, with hundreds of thousands of lines of code and several hundred open-source libraries. And they are changing and being deployed multiple times every single day.”
Williams said scanners attempt to find vulnerabilities in these web applications from the “outside in.” Some look at the source code; others try to attack the applications the way a hacker would. The idea is that you can find and fix vulnerabilities before they get into production.
False positives, false-negatives a problem
81% of respondents told Contrast Security their application security teams spend three or more hours per false positive to identify it as such. As a result, the amount of time dealing with “false positives” and “false negatives” is substantial.
“Unfortunately, these tools were invented in the early 2000s, and they have not kept up with advances in modern software. They’re slow to run, generate a ton of false-positive alerts, miss serious issues, and create PDF reports,” he noted.
Williams said new tools are getting better. “More modern “interactive” and “instrumentation” tools work from the inside out. They directly measure application security from within the application and alert developers in real-time through the tools they are already using – chat, bug trackers, IDEs, and build tools.”
The security tools give help teams prevent vulnerabilities from reaching production. They point out issues with obscure names like “SQL injection, cross-site scripting, server-side request forgery, expression language injection, and hundreds more.” All these issues can lead to significant harm if they make it to production.
SolarWinds threat
One new and interesting risk area is SolarWInds style attacks on the development teams themselves.
In early 2020, hackers broke into Texas-based SolarWinds’ systems and added malicious code into the company’s Orion software system, used by more than 30,000 companies to manage IT resources. That set off a chain reaction of concern about cybersecurity risk.
“If you attack the tools and platforms used to build an application, you can put any kind of backdoors or vulnerabilities you want in there. That’s a huge risk that nobody, NOBODY, is dealing with yet. We are all SolarWinds,” Williams emphasized.
“The right way forward is to create a combination of culture, teams, process, and technology – along with an executive-level mandate – that makes application security a priority. Try to break down silos between application security and development, and create the infrastructure that your software factory will need into order to produce security,” advised Williams.
The Verizon 2021 Data Breach Investigations Report sums up the state of the financial institution and payments fraud risk best. “We’ve said it before, and we’ll say it again—everyone loves credentials. Credentials are the glazed donut of data types.”
You can download Contrast Security’s free 2021 State of Application Security in Financial Services Report to learn more about financial institution security.
LET’S CONNECT