New study highlights software
security challenges in financial
services industry
increasingly sophisticated
adversaries,” said Drew
Kilbourne, Managing
Director of security
consulting for the Synopsys
Software Integrity Group.
ynopsys has released the
report The State of Software
Security in the Financial
Services Industry. Based on a survey of
global financial services organisations
conducted by Ponemon Institute, the
report highlights the industry’s security
posture and its ability to address
security-related issues.
S
“There is no single right
approach to software
security but this study
clearly shows that there
is a significant need for
improvement in supply chain
risk management. There is
also an opportunity for many
organisations to expand
the scope of their software
security programs to cover
all their business-critical applications
and shift their efforts further left in the
software development life cycle [SDLC].”
Synopsys commissioned Ponemon
Institute, a leading IT security research
organisation, to examine current
software security practices and risks in
the financial services industry (FSI).
Ponemon surveyed over 400 IT security
practitioners in various sectors of the
financial services industry including
banking, insurance, mortgage lending/
processing and brokerage firms.
The study also found that many
organisations are struggling to manage
cybersecurity risk in their supply chain
and are failing to assess their software
for security vulnerabilities before release. The respondents’ roles included
development, installation and
implementation of applications for the
financial services industry.
Key findings from the study include:
“While the financial services industry
is relatively mature in terms of its
software security posture, organisations
are grappling with a rapidly evolving
technology landscape and facing
www.intelligentciso.com
|
Issue 17
The majority of FSI organisations are
ineffective at preventing cyberattacks.
More than half of respondents have
experienced system failure or downtime
Many FSI organisations are struggling
to manage cybersecurity risk in their
supply chain. Nearly three-quarters
(74%) of respondents were concerned
or very concerned about the security
posture of third-party software and
systems. Despite this concern, only 43%
of respondents said their organisations
impose cybersecurity requirements
on third parties involved in developing
financial software and systems.
Furthermore, only 43% of respondents
said they have a formal process for
inventorying and managing the open
source code in their software portfolios.
FSI organisations are failing to
assess their software for security
vulnerabilities before release. While
most organisations follow a secure
software development life cycle (SDLC)
process, respondents reported that their
organisations test, on average, only 34%
of all financial software and technology
developed or in use by their organisation
for cybersecurity vulnerabilities. For
the software and technology that is
tested for vulnerabilities, only 48% of
respondents reported that security
testing occurs in the pre-release phases
of the SDLC, such as the requirements
and design phase or the development
and testing phase.
Download a free copy of the report: The
State of Software Security in the Financial
Services Industry. u
61
The study found that more than half of the
surveyed organisations have experienced
theft of sensitive customer data or system
failure and downtime because of insecure
software or technology.
(56%) or theft of sensitive customer
data (51%) due to insecure software
or technology. Unsurprisingly, the
study shows that more organisations
are effective in detecting (56%) and
containing (53%) cyberattacks than in
preventing attacks (31%).