While the majority of financial institutions, 75%, view application security as a high or critical priority, only half require third-party security vendors to have a formal policy or program in place.
That’s according to Security Compass, which in a recent survey of CISOs also found that 74% of potential vulnerabilities are either undetected or unfixed. Only 8% said they track the amount of money spent on vulnerability remediation.
Agile development, a move toward third-party and cloud-based software, along with increased global regulatory scrutiny is putting new pressures on security teams within financial institutions. Overwhelmed by the enormity of securing entire software portfolios, while meeting regulatory compliance and keeping customer satisfaction high, many organizations struggle to initiate, structure and scale application security programs.
The survey also uncovered that nearly 70% of application security teams are composed of a central group of application security experts, with champions in individual teams or business units. And, almost all respondents have secure coding standards and guidelines, but most could not validate how widely the standards were being followed. Still, the apparatus is there to improve cyber-posture.
That said, dynamic analysis (DAST) and static analysis (SAST) tools place fourth and sixth on the list of the most broadly performed security activities out of 16 security activities surveyed. These same tools leave nearly half (46%) of application-level risks undetected.
Also, more than half of respondents procure at least 50% of their software from third-party vendors, with 17% primarily relying on outside software. Only 8% provide detailed application security requirements as part of third-party software vendor contracts.
"We want financial institutions, and companies in all industries, to leverage this report to enhance their business cases, create sound application security programs, and push their agendas forward," said Rohit Sethi, COO at Security Compass. "As the results of this survey indicate, simply selecting best practices from a secure software development lifecycle (SDLC) framework may not result in an ability to execute. Organizations should select security activities that meet their risk reduction and scalability goals and identify a trusted partner to help deploy an effective and budget-friendly AppSec program, complete with training, expert consulting and automation."