Debunking the seven myths of FSI application security


By: Taylor Armerding, Security Advocate, Synopsys Software Integrity Group

It’s obvious why cyber criminals are drawn to the financial services industry (FSI). It’s the Willie Sutton logic updated: he robbed banks because “that’s where the money is.” But today it’s not just banks. Financial services also include credit unions, investment and insurance companies, credit card companies, mortgage lenders, private equity firms, and venture capital organisations.

And while that’s obviously not the only place the money is in a modern economy, there’s a staggering amount of it in the FSI — an estimated US$22 trillion worldwide, which is more than three times the estimated US$6.55 trillion that the U.S. federal government spent last year. The FSI is also an almost unlimited attack surface. Just about everybody in modern life has a connection to it, and increasingly that connection is online. FSI organisations all have websites and mobile apps. You’ve seen the ads — it’s “banking reimagined.”

But all that money and all those attack points mean the need for online security is greater than ever. And unfortunately, how best to do that is not so obvious.

A new white paper from the Synopsys Software Integrity Group, “Application Security in the Financial Services Industry: Myths vs. Reality,” aims to help shed some light on the issue by identifying, explaining, and debunking the most significant of those myths.

The paper is based on the findings of the 2020 “Building Security In Maturity Model” (BSIMM) report, which presents data on the software security initiatives of 130 firms, primarily in nine verticals. Of that number, 42 are financial firms and another 21 are FinTech, which are effectively independent software vendors specifically for financial services.

Seven myths of FSI application security

The white paper identifies seven myths about the FSI that are both common and most likely to put both individuals and organisations at risk.

1. Financial services firms are secure because they must be

While that probably ought to be true, the perception that the FSI is secure because it handles so much sensitive data is wrong. The industry is heavily regulated and virtually all firms meet compliance requirements, but one of the ongoing mantras at security conferences is “compliance is not security.” In the case of the FSI, the high rate of compliance “has helped lull security leaders and customers into a false sense of security,” according to the paper.

The result is predictable. A recent independent study commissioned by Synopsys with the Ponemon Institute titled “The State of Software Security in the Financial Services Industry” found that 50% of FSI firms suffered data theft due to insecure software.

2. Financial software is different than other software (and therefore can’t change)

In this case, the misperception is that the development of financial software can’t evolve toward DevOps, as is happening in other industries.

But as the report puts it, “there are no special snowflakes.” Just because the purpose of financial software is unique doesn’t mean it’s written, managed, and tested any differently than software written for any other purpose.

“Outdated development models inhibit development velocity and hinder go-to-market speeds. Organisations that refuse to adapt to the modern software landscape will fall behind, if they haven’t already,” the “Application Security in the Financial Services Industry: Myths vs. Reality” white paper said.

3. Little financial services firms have different AppSec needs than big ones

Yes, small banks tend to buy software while the big ones more often build their own. But the security of software, bought or built, is the responsibility of the user, not the vendor. Even the big firms that build their own software use commercial or open source components.

And when it comes to the importance of security, size doesn’t matter. Attackers are opportunistic and target systems using automated tools. If you’re vulnerable, they don’t care what size you are.

Yet the persistence of this myth is evident in the statistics. The Ponemon Institute found that only 43% of financial services firms require third parties to adhere to strict cyber security requirements or verify the security practices of third parties.

4. You control everything that’s in your deployed software

These days, even if a company knows everything in a software stack, it still might not have a complete picture of everything going into production. Open source software is a part of virtually every codebase, and it covers a broad range of AppSec activities and environments, from Docker and Kubernetes to supply chains, cloud deployments and shared responsibility models. Organisations need to understand them all.

5. Cloud security is the job of cloud operators and owners

The cloud doesn’t do security for you. The 2019 Capital One breach, enabled by the company’s misplaced trust in Amazon Web Services, was a stark illustration of that. While cloud providers work hard to secure users’ deployments, security teams must still deploy secure containers into their cloud.

As BSIMM11 puts it, “cloud providers are 100% responsible for providing security software for organisations to use, but the organisations are 100% responsible for software security.”

6. Penetration testing, gate testing, and final step security is sufficient

Penetration or pen testing is a critical component of application security but it’s not enough — not nearly enough. Synopsys has documented that 50% of defects found in software are architectural flaws, which pen testing can’t find.

Security has to be built in throughout the software development life cycle, which begins with architecture risk analysis or threat modeling to identify those flaws.

7. Developers can learn AppSec skills on their own with experience

That may be true for a select few, but not for most software developers. And depending on the aptitude of developers and how much time the learning curve takes, an FSI organisation could be at serious risk while that learning does or doesn’t take place.

The reality is, if developers are going to become AppSec experts, they need training as well as experience. The Ponemon Institute study found that isn’t happening most of the time. Only 38% of FSI firms have employees with the cyber security skills required to secure their software. And 25% of employees have no security training at all, yet they’re still tasked with AppSec responsibilities.