Nov 3, 2024

The emergence of AI-powered attacks , combined with a complex, swiftly changing regulatory environment, creates a perfect storm of cybersecurity challenges for the global financial industry. A significant revelation from Veracode, a leading provider of application security solutions , underscores a pressing issue: the accumulation of security debt across the sector. This term, 'security debt', refers to long-standing security flaws in software applications that remain unaddressed for extended periods, potentially exposing organisations to significant risks. Security Debt Pervades Financial Sector The Veracode report, synthesising data from over a million applications spanning various industries, highlights a disturbing trend within the financial services sector. It finds that 76% of financial organisations carry security debt—flaws not fixed within a year. Alarmingly, 50% of these debts are critical, denoting high-severity flaws that substantially risk applications and necessitate urgent resolution. "The high rate of security debt in the financial sector poses significant risks to organisations and their customers if not addressed quickly.” Chris Wysopal, Chief Security Evangelist at Veracode The financial sector, while slightly outperforming the cross-industry average—40% of applications have security debt as against 42% industry-wide—tends to accrue more security debt over time. This is especially concerning due to the sensitive nature of financial data and the severe implications a breach could have in this field. Chris Wysopal, Chief Security Evangelist at Veracode Chris Wysopal, Chief Security Evangelist at Veracode, highlights the severe implications: "As AI-driven cyber-attacks continue to grow in strength and numbers, and organisations struggle to keep up with evolving regulations due to existing security debt, the current landscape allows threat actors to exploit vulnerabilities at an alarming, unprecedented rate." "The high rate of security debt in the financial sector poses significant risks to organisations and their customers if not addressed quickly." Addressing First-Party and Third-Party Code Vulnerabilities Veracode's findings stress the necessity for financial service entities to handle security flaws in both first-party and third-party code. While 84% of all security debt affects first-party code, a staggering majority of critical security debt arises from third-party dependencies. This emphasises the need for comprehensive security strategies that cover not just an organisation’s proprietary code but also the open-source and third-party components integrated into their applications. The disparity in remediation timelines between first-party and third-party flaws is noteworthy. Financial organisations typically amend half of the first-party flaws within nine months, in contrast to 13 months for third-party flaws. Additionally, 52% of third-party flaws translate into security debt, compared to 44% of first-party flaws. Distribution of all flaws based on severity rating and security debt status (image credit: Veracode) Efforts such as the Cybersecurity and Infrastructure Security Agency’s Open Source Software Security Roadmap and Secure by Design Pledge are vital. These initiatives aim to bolster the security of the open-source ecosystem, which is instrumental in modern software development across industries, including finance. Global Financial System at Risk Key facts from the report: 76.2% of Financial Services have security debt 69.6% of others have security debt 49.8% of financial services have critical security debt 45.0% of others have critical security debt The incessant accumulation of security debt within the financial sector poses severe consequences for the global economy. As financial institutions increasingly interconnect and depend on digital systems, a vulnerability in one system could cascade through the entire financial ecosystem. This interconnectedness stresses the necessity of prompt and comprehensive attention to security debt. Moreover, due to the critical role the financial sector plays globally, it becomes a prime target for cybercriminals and state-sponsored threats, where unresolved security debt offers potential entry points for attacks that could lead to significant data breaches, financial fraud, or disruptions in critical financial services. Veracode also underscores the imperative for financial institutions to prioritise their remediation efforts. By focusing on rectifying the most critical vulnerabilities first, organisations can substantially mitigate their risk exposure, even if they cannot immediately address all security debt. Chris Wysopal concludes with a stark reminder and call to action for the industry: "It has never been more important for the financial services sector to stay ahead of evolving cybersecurity threats, particularly with increasingly sophisticated AI-driven attacks threatening the security of their assets." "I urge financial institutions to prioritise timely security debt reduction by adopting AI-powered remediation and Application Security Posture Management tools which can detect, prioritise and fix vulnerabilities within seconds." ************** Make sure you check out the latest edition of FinTech Magazine and also sign up to our global conference series – FinTech LIVE 2024 . **************