Study reveals severe security flaws in finance software

Research by Veracode reveals a high prevalence of long-standing high-severity software security flaws within the banking and financial sector.

The findings show that 76% of financial applications possess unresolved security flaws that have persisted for more than a year, with exactly half of these cases involving high-severity defects. This phenomenon, referred to as "security debt", highlights a critical issue in the sector's software security management.

Chris Wysopal, Chief Security Evangelist at Veracode, expressed concerns regarding the implications of this security debt, stating, "The high rate of security debt in the financial sector poses significant risks to organisations and their customers if not addressed quickly."

"As AI-driven cyber-attacks continue to grow in strength and numbers, and organisations struggle to keep up with evolving regulations due to existing security debt, the current landscape allows threat actors to exploit vulnerabilities at an alarming, unprecedented rate. Our latest State of Software research highlights the critical need for financial institutions to address both first-party and third-party code vulnerabilities now. Organisations that leave flaws unremedied for longer than a year are exposed to prolonged and dangerous threats," Wysopal said.

Further details underpinning this study reveal that only 5.5% of financial sector applications are free of security flaws, compared to 5.9% in other industries. Despite fewer instances of security debt compared to the cross-industry average of 42%, applications in the financial sector accumulate more critical security debt.

The report emphasises the need for financial institutions to manage vulnerabilities in both first-party and third-party codes. It is noted that 84% of all security debt affects first-party code, whereas a significant portion (78.6%) of the most critical security debt originates from third-party dependencies. This supports initiatives like the Cybersecurity and Infrastructure Security Agency's Open Source Software Security Roadmap and its Secure by Design Pledge.

Additionally, the research underscores varied remediation timelines within the financial sector. First-party flaws reportedly see half resolved within nine months, while third-party flaws take approximately 13 months for similar resolution rates. Concerningly, 52% of third-party and 44% of first-party flaws transition into security debt.

Wysopal concluded by advising financial institutions to tackle security debt promptly through advanced technological means, "It has never been more important for the financial services sector to stay ahead of evolving cybersecurity threats, particularly with increasingly sophisticated AI-driven attacks threatening the security of their assets. I urge financial institutions to prioritise timely security debt reduction by adopting AI-powered remediation and ASPM tools which can detect, prioritise and fix vulnerabilities within seconds."

Veracode is a global specialist in Application Risk Management for the AI era. Powered by trillions of lines of code scans and a proprietary AI-assisted remediation engine, the Veracode platform is trusted by organisations worldwide to build and maintain secure software from code creation to cloud deployment.