The financial industry has fewer software vulnerabilities than other prominent sectors, but by comparison lags substantially behind in fixing the flaws, a new study by application security provider Veracode found.
Financial Industry Lags in Security Measures
Veracode’s 12th annual State of Software Security analyzed 20 million scans across nearly 600,000 applications in the financial, technology, manufacturing, retail, healthcare and government sectors. The results suggest that the financial industry did not sufficiently prioritize identifying and fixing the highest risk flaws. About 18% of applications in use in financial institutions contain applications with a serious vulnerability, placing it in the middle of the industries studied.
Overall, some two years after discovery, 30% of open-source vulnerabilities found through software composition analysis (SCA) remain unresolved.
Across the six industries, the financial sector has the second-lowest proportion of applications containing security flaws at 73%, exceeded only by manufacturing. By comparison, in last year’s report the financial industry had the lowest of all sectors in number of flaws. However, despite having fewer flaws overall, the financial services sector comes in joint last with technology and government for the lowest proportion of flaws that are fixed, Veracode said.
Room for Improvement
Chris Eng, Veracode chief research officer, explained how the key factor is training security teams in identifying and remediating flaws:
“We found that while financial services applications have fewer security flaws than last year, the sector lags behind other industries when it comes to fix rate. Our research showed that security training can significantly improve remediation speeds, and that companies whose development teams had completed hands-on training using real-life applications fixed flaws 35% faster than those without such training."
When it comes to addressing open-source vulnerabilities, the finance sector remediates at the same pace as other industries for the first year but then quickens its pace to gain a month on the cross-industry average, according to Veracode.
The finance sector outperforms most other industries in fix times for flaws discovered by dynamic, SCA, and static, the study found. But there is still ample room for continued improvement when looking at the number of days it takes to resolve 50% of flaws — 116 days for dynamic analysis, 385 days for SCA, and 288 days for static analysis.
Scanning early and often using a combination of testing types reduces unplanned emergency remediation work and mitigates the risk of introducing third-party security flaws into software, Veracode advises.