Financial services at higher risk of software security breaches, CAST report finds

Key findings from a recent CAST report on the state of software security show that as financial services focus on delivering functionality, legacy systems are being left vulnerable to major security risks

Last week, CAST, the Paris-based provider of software intelligence, announced in its global benchmarking report on the state of software security that financial services’ existing software is more vulnerable to security breaches compared to that in other sectors.

The CRASH Report on Application Security measures software vulnerability by analysing the density of an application’s common weakness enumeration (CWE), a community-developed list of common software security weaknesses that serves as a baseline for identification, mitigation and prevention efforts.

In the report, financial services had one of the highest average CWE densities, while the energy and utilities sectors had the lowest.

Dr Bill Curtis, SVP and Chief Scientist at CAST, said “we found that overall, organisations are taking application security quite seriously. However, there are clear outliers to this broad finding that put companies and their customers at significant risk. Financial services have many older systems, and in many cases they have not spent the effort to upgrade them to modern security standards”.

Although financial services are under pressure to deliver more functionality to their digital services, resources should be dedicated to fixing defects in legacy systems in order to stop news-worthy breaches from occurring, says Curtis. “Left unchecked, these high densities of security weaknesses present more opportunities for malicious actors to find vulnerabilities to exploit for unauthorised entry into systems – in the parlance of the cybersecurity community, the application offers a larger attack surface. Consequences are the compromise of confidential customer information, malicious damage to systems, or worse, theft from accounts.”

Other key findings from the report include that CWE density is not related to application size; neither source nor shore impact CWE densities across application portfolios; and Java applications released more than six times per year have the highest CWE densities.

“Without a clear understanding of existing application security vulnerabilities, organisations are not addressing some of the biggest software risks that pose a threat to their business,” concludes Curtis.

Tweet about this on TwitterEmail this to someoneShare on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>