Effectively finding and fixing flaws in application software

The formative events of this year have altered business operations and accelerated digital transformation for nearly every industry. Financial services is no exception. As the industry pushes toward faster innovation and moving more processes to the cloud, software security is gaining renewed importance.

According to the findings from Veracode’s State of Software Security 11 research, financial services organizations outperform many other industries when it comes to software security. The research found the financial services industry has the smallest proportion of applications with flaws and the second-lowest prevalence of severe flaws, trailing only manufacturing.

The research also reveals that nearly three-quarters of financial services applications contain at least one security flaw, and it takes them more than six months to fix just half of them.

Sign up for the free BAI Banking Strategies newsletter and get industry insights delivered to your inbox.

These findings may seem somewhat contradictory, but this dichotomy is understandable if you consider the relationship between the application development environment and developer practices. Think of this as “nature” versus “nurture.”

The nature side is the set of circumstances surrounding the application. Many applications in financial organizations are large, generally with older codebases than other sectors. This combination often results in significant technical debt and slower fixes.

On the other side, developer behaviors can nurture an app to better security. These are the actions developers can control within the development environment, such as scanning frequency and cadence, and automating scan activity. The more consistently these practices are performed, the more likely that flaws will be found and quickly remediated.

Security debt – the accumulation of unaddressed software flaws – straddles both nature and nurture. A development team may inherit some debt that comes with older applications (nature), but then choose whether to accumulate it or pay it down (nurture). Developers in financial services are doing better than other industries in not accumulating debt, but slow remediation time means they are not paying it down.

Financial services: fair or flawed?

Overall, developers in the financial services industry appear to better manage issues related to cryptography, input validation, cross-site scripting and credentials management – all things related to protecting users of financial applications.

Within the financial services industry, our analysis found the prevalence of common flaw types trends lower for all categories compared to the overall numbers. Cryptographic issues – such as weak password mechanisms and using risky or broken cryptographic algorithms – are among the top three most commonly found flaws across all applications, but these drop to fourth among financial applications.

Financial services development teams also outperform the majority of industries in uncovering flaws within open-source components. In prior research, Veracode found seven in every 10 applications have flaws in their open-source libraries.

Generally, flaws aren’t fixed in the order they are found. Developers tend to prioritize flaws found most recently or that are creating immediate problems. Sometimes, the team may not allocate capacity to fix older flaws, particularly if there is greater emphasis on developing new features rather than reducing risk.

These decisions are often dictated by a team’s development approach. For instance, DevSecOps necessitates frequent and regular scanning and immediate flaw remediation, while timing fixes around major releases is more common in a waterfall approach. There are pros and cons to both, but when it comes to application security, DevSecOps offers significant benefits.

Looking at the financial services industry, DevSecOps practices are happening, but they’re scattered and inconsistent. SoSS 11 found financial services firms are middle-of-the-road for scanning frequency and integrating security testing, but very consistent about the cadence of scanning activities. They come in last for using dynamic analysis scanning technologies to uncover vulnerabilities, but excel at using software composition analysis compared to other industry sectors.

Scan frequency and cadence are two things the developer directly controls, and such behaviors can have an enormous impact on application security. Veracode’s research found applications that are scanned infrequently (less than 12 times a year) took about seven months to close half of their open findings, while applications that scanned at least daily on average reduced that time to about two months.

No application is perfect. The trick to application security is in how effectively flaws are discovered and fixed. The financial services industry demonstrates a smart and modern approach to application security that serves its end users well. With just a few changes to existing behaviors, developers can further reduce flaws and remediation times, pay down security debt, and improve overall application security.

Chris Eng is chief research officer at Veracode.