Veracode, a leading global provider of intelligent software security, has released new research that unveils the key factors influencing flaw introduction and accumulation in the Financial Services sector. The security performance of financial applications generally outperforms other industries, with automation, targeted security training and scanning via Application Programming Interface (API) contributing to a year-over-year reduction in the percentage of applications containing flaws.
Against a backdrop of major regulations impacting the financial services sector, including the US Securities and Exchange Commission cybersecurity disclosure rules and the EU Digital Operational Resilience Act (DORA), Veracode’s study provides recommendations to reduce risk from software vulnerabilities. While nearly 72% of applications in the Financial Services sector contain security flaws, this is the lowest of all industries analysed and an improvement since last year.
“Financial Services made a strong showing across the board in this year’s analysis,” said Chris Eng, Chief Research Officer at Veracode. “Increasing competition and customer expectations, combined with tighter regulations across the industry, have put greater pressure on developers and security teams to find and fix flaws at scale. Moreover, the explosion of AI and Machine Learning has pushed the pace of software development to a new level, leading to the hyperproliferation of flaws. The sector has done well to better its performance, but there is more to be done and financial organisations would benefit from increased automation and secure coding techniques to help them prevent, detect and respond to vulnerabilities faster than ever.”
API scanning and training lowers likelihood and introduction of flaws
Veracode’s research found Financial Services organisations see stronger effects from the positive elements of scanning via API and security training, compared with the cross-industry average. Scanning via API is a measure of maturity in a software security program and enterprises that integrate API usage likely have greater automation and control over the development pipeline. In fact, those that leverage scanning via API perform 11% better than the baseline probability of non-Financials when it comes to flaw introduction per month. Adding interactive security training into the mix reduces this further, with the two factors combined lowering the chance of flaw introduction by 19% per month.
The impact of scanning via API and security training on the number of flaws when they are introduced is even more pronounced. When Financial Services teams completed 10 interactive security training modules, they introduced 26% fewer flaws, putting the sector’s performance well above the all-industry average. Similarly launching scans via API had a stronger influence on the number of flaws introduced in Financial Services applications than in other industries.
The power of AI and ML
The State of Software Security report also analysed language preference by vertical and found, at 51%, Java is almost a de facto standard within the Financial Services sector. Veracode Fix, an AI-powered remediation tool launched earlier this year, leverages Machine Learning to generate fixes for 74% of Java static findings. Such a dramatic reduction in time and effort empowers organisations to improve security posture and lower risk even further, freeing up capacity for innovation and creation.
Click below to share this article