98% of financial services respondents admit they have experienced at least three successful application exploits in the last 12 months that have caused an operational disruption and/or a data breach leading to the increase in application security budgets
With most attacks on financial services institutions executed at the application layer at a time when customers demand more digital services and customer-facing applications are developed in-house, application security is mission-critical, according to Contrast Security’s 2021 State of Application Security in Financial Services Report. The report is based on a comprehensive survey of development, operations, and security professionals and executives at enterprise-level financial services institutions. The report explores the state of application security at these organizations, and the findings indicate that the security of these applications — that have access and control over consumers' finances — is not a priority or major concern for most of them.
Methodologies like Agile and DevOps — and a growing use of open-source code and application programming interfaces (APIs) — have accelerated the development process, enabling financial institutions to speed up digital transformation initiatives that had been planned for months or years in the future. However, the financial services industry, including banking, insurance, and investment firms, has long been a target of cyber criminals, and this has only accelerated due to the COVID-19 pandemic.
When multiple serious vulnerabilities are present in an application, cyber criminals have many opportunities to mount a successful attack. Almost all respondents (98%) admit that they have experienced at least three successful application exploits in the past year that have caused an operational disruption and/or a data breach. Astoundingly, more than half of organizations (52%) saw 10 or more successful attacks over 12 months. As a result, 99% of respondents in organizations with more than 15,000 employees peg the cost of each attack at USD 1 million or above.
The high rate of false positives combined with the lack of actionable information in scan reports creates a major time sink for both development and security teams. More than eight in 10 respondents (81%) say that their application security teams spend three or more hours per false positive to identify it as such. So, when a legitimate vulnerability is identified, 72% of respondents said their organization's application security team spends six or more hours to triage, diagnose, and prioritize remediation for the development team. The baton then is passed to developers, who spend 10 or more hours per vulnerability to perform remediation and verification, according to 69% of respondents. With a scan report potentially containing hundreds of alerts, with a majority being false positives, these staff hours add up quickly for both the development and the security teams.
Given application security is an increasing concern for enterprises, 75% of respondents report that their application security budget is increasing in 2021, and 24% say that increase is more than 15%. Despite this emphasis on application security, only 40% of organizations place direct responsibility for application security under the CISO. So, while budgets are increasing at many organizations, some may not have a solid strategy in place to use those funds wisely. A crucial starting point will be to ensure security keeps up with the pace of development.
"It is clear that application security strategies have not matured at most of the financial services organizations represented in this survey," said Jeff Williams, CTO and co-founder at Contrast Security. "The good news for institutions looking to build out their strategy is that implementing a modern application security platform can dramatically accelerate their program and produce real improvement quickly. Instrumentation-powered application security can provide continuous security testing at massive scale, providing highly accurate feedback to developers in real time, empowering them to find and fix their own vulnerabilities without direct help from application security specialists."