itb-nz logo
Story image

Global banks fail to keep up with application security

15 Jul 2019

Many of the world’s largest banks are the cybersecurity equivalent of swiss cheese, with many that would fail GDPR compliance tests – an oversight that puts banks and their customers at risk.

A recent ImmuniWeb study on 100 banks across the world – including 36 in Asia and five in Australia – found that the organisations show an alarming lack of security across their banking applications.

In one case, the study found that one bank had an unpatched vulnerability that has existed since at least 2011 – suggesting that banks need to do more to ensure their systems are safe.
The study analysed three different aspects of bank security: compliance, security vulnerabilities, and website security.

Compliance: 

•    85 e-banking web application failed a GDPR compliance test
•    49 e-banking web applications failed a PCI DSS compliance test 
•    25 e-banking web applications are not protected by a web application firewall. 

Security vulnerabilities: 

•    Seven e-banking web applications contain known and exploitable vulnerabilities 
•    The oldest unpatched vulnerability is known and publicly disclosed since 2011 
•    92% of mobile banking applications contain at least one medium-risk security vulnerability 
•    100% of all banks have security vulnerabilities or issues related to forgotten subdomains

Website security 

Only three main websites out of 100 had the highest grades ''A+'' both for SSL encryption and website security:  Credit Suisse (Switzerland), Danske Banke (Denmark), and Handelsbanken (Sweden).

Given the non-intrusive nature of the research and formidable resources available to the top banks studied in the research, the findings urge financial institutions to revise their existing approaches to application security,” comments ImmuniWeb CEO and founder Ilia Kolochenko. 

“Most of the data breaches involve or start with insecure web and mobile apps that too frequently underprioritised by future victims. Unfortunately, most cybersecurity teams today carry a burdensome duty to meet compliance and regulatory requirements as the first priority and simply lack available resources to tackle other essential tasks. Eventually, they become low hanging fruits for cybercriminals.''

ImmuniWeb says that banks should:

1. Consider implementing Gartner’s CARTA strategy to enhance cybersecurity strategy.

2. Maintain a holistic and up-to-date inventory of assets located in the external attack surface, identify all software and its components used, run actionable security scoring on it to enable threat-aware and risk-based remediation.

3. Implement continuous security monitoring of external attack surfaces, test new code before and after deployment to production, start implementing DevSecOps approach to application security.

4. Consider leveraging machine learning and AI capacities to handle time-consuming and routine processes, freeing up security personnel for more important tasks.

Link image
Webinar: How to stay agile in the face of changing cloud needs for customers
Join the discussion about how to migrate to cloud, adopt AI and bolster CX - and leave with the know-how to advance your business in 2020 and beyond.More
Story image
Fiverr launches platform to bring freelancers closer to business
Fiverr says it wanted to create an integration that could fit into an organisation’s workflow and become ‘part of the digital onboarding experience’ for employees, meaning freelancers can access email, Slack, Dropbox, and the Fiverr Business team account.More
Link image
Software engineer backs metrics mindset in DevOps
Christian Oestreich, a senior software engineering leader with experience at multiple Fortune 500 companies, shares how a metrics-driven mindset can dramatically improve software quality and enable DevOps at enterprise scale.More
Story image
Gartner: By 2023, 65% of the world will have personal data covered under modern privacy regulations
“Security and risk management (SRM) leaders need to help their organisation adapt their personal data handling practices without exposing the business to loss."More
Story image
Fortinet’s ‘zero trust’ approach redefining security
Cornelius Mare, Fortinet A/NZ Director, Security Solutions, explains why taking a ‘zero trust network access’ approach to cybersecurity requires fully-integrated and comprehensive security services and policies.More
Story image
National Party announces $1.29 billion tech policy ahead of election
The policy, announced today, pledges to create 100,000 jobs in the industry by 2030 if the party is elected next month.More