From the rising importance of digital transformation, we have seen a shift in application security debt within the financial services industry. Although financial organisations tend to have the reputation of having some of the most mature overall cybersecurity practices, and a willingness to invest in modern solutions to protect their data and networks, many are still facing an uphill climb.

One of the growing pain points for the financial organisations is the rise of security debt. Security debt is defined as the amount of software flaws identified but left unresolved, and the longer those unresolved flaws linger, the less likely they are to be fixed. The financial services industry has the largest population of applications under test compared to other industries, and can boast the highest number of flaws fixed. Therefore, with the growth of applications comes the need for modern, scalable cybersecurity practices and security infrastructures in order to reduce ever-emerging risks.

Security debt is on the rise for banks

Today’s banks’ IT infrastructures are a combination of legacy and modern applications, which requires specific skillsets to handle the complexity of the infrastructure. Competition within financial services is vibrant. Banks are competing to bring new technical features to market first. As development payload delivery increases, so too does the risk of a security incident if controls are not keeping pace. In the main, we see that security bugs are accumulating. This means that some UK banks have a growing security debt which they need to pay down.  

Research revealed that banks and other financial institutions are on average able to fix 76% of flaws in its software, well above the average 56% across all industries. While this industry’s fix rate is the best, it is among the slowest to resolve flaws: the median time to resolve in the financial sector is over two months (67 days). Comparatively, the healthcare, retail, technology and government sectors all remediate flaws faster.

The customary practice of keeping track of credit card bills and loans to reduce debt, applies to software security, as it makes it easier to bring debt down at a rapid rate. Software is tested, vulnerabilities are revealed, and unaddressed vulnerabilities build up over time as interest in the form of extra work, which compounds into security debt that’s increasingly difficult to reduce the longer you wait. But too often, the demands of accelerated development timelines mean applications are inadequately tested, if tested at all.

Securing the software that supports digital transformation projects

Due to its on-premises nature, traditional application security testing tools are complex to manage and difficult to scale. Their ability to support software security needs when on-site support and implementation is required is especially difficult during this pandemic. This further strains development and security teams’ ability to test applications across the software development lifecycle, which increases risk exposure to the business to targeted vulnerability exploitation.

As digital transformation has accelerated due to the current working environments, a key way for businesses to compete is by partnering with Cloud Service Providers (CSPs). Companies are increasingly choosing SaaS when purchasing technology solutions. By adopting cloud-first technologies, businesses are in the best position to achieve business continuity and scale their application security programs as their needs increase. The cloud also provides the ability for businesses to scale easily for multiple, dispersed business units, development and security teams.

With software updates managed by a cloud service provider, SaaS security solutions can more easily keep pace with the quickly evolving threat landscape. The European Central Bank recently warned that a combined cyberattack on important banks could trigger global financial instability. In addition, malware, ransomware, and other threats targeted at both banks and consumers create an amplified need to create secure software.

An example of this can be seen at OneSpan Inc., a provider of trusted identities, e-signatures, and secure transactions to banks, which implemented SaaS application security and modern secure coding practices. OneSpan’s solutions are helping banks and financial firms protect data and processes from cyber threats targeted at financial, potentially saving them billions in fraud.

OneSpan serves more than 10,000 customers, including 60 of the top 100 global banks, with solutions in identity verification and authentication, fraud analysis, and mobile app security, among others. Its customers rely on these solutions to achieve digital transformation securely and at scale. OneSpan uses comprehensive software security analysis within a SaaS platform to integrate security into its software development lifecycle. Its development teams scan software for potential vulnerabilities multiple times daily, a best practice for achieving DevSecOps.

Mitigating risks in real-time

Organisations which provide their developers with the tools, training, and speed to address vulnerabilities directly within their workstream are not only more secure, but can deliver innovation faster to the market. When financial firms maintain pace with and work to reduce their security debt with real-time scanning in a SaaS solution, they can create secure software faster and reduce their risk exposure at the same time. 

SaaS cloud security solutions can help accelerate the process of delivering secure code and can cut-down on unplanned work for developers, which means delivering software to end users faster. The organisations that are exceling at this are going to beat their competitors to market consistently by delivering new and secure products or services, and they will have the upper hand to mitigate against risks in real-time. Thus, the security of the applications they use will become a powerful differentiator for their customers.