BURLINGTON, Mass.—There is some good news mixed with some bad news in a new analysis of the financial services industry and data security.
First, the good news. The financial services industry has the smallest proportion of applications with security flaws compared to other sectors, along with the second-lowest prevalence of severe security flaws, and the best security flaw fix rate, according to a report from Veracode.
Second, a bit of bad news. Veracode said it found that despite an impressive fix rate, the financial services industry is falling behind when it comes to the time to make those fixes.
“This is a troubling finding because speed matters in application security. The time it takes for attackers to come up with exploits for newly discovered vulnerabilities is measured in days, sometimes even hours. Letting known vulnerabilities linger unfixed dramatically increases your risk. For instance, it was merely days between disclosure and exploitation of the vulnerability in the Apache Struts framework that led to the Equifax breach,” Veracode said.
Veracode added that in the financial services sector, applications tend to be older than those in other industry sectors and the organizations are fairly large.
“Combined with these challenging factors, developers and security professionals in this industry aren’t regularly employing best practices consistent with DevSecOps and known ways to improve fix rates, such as scanning for security both frequently and regularly and using more than one testing type,” Veracode said.