How can you protect your business, your customer data, and stay informed about your current security posture all at the same time in this age of data breaches? According to a Ponemon Institute study, companies have a 28 percent chance of having a data breach incident in the next two years.
Attacks are prevalent and if you rely on network or device security to protect your apps, you should reconsider your strategy. Web and mobile apps are the most frequently attacked and compromised vectors in a company’s security posture, and that includes for financial institutions.
Traditional IT security measures such as firewalls and web application firewalls (WAFs) won’t protect your apps from reverse engineering or tampering. Luckily, you don’t need a Fortune 500 budget or large security staff to tackle this problem.
Understanding the Structural Problems Underlying Banking App Vulnerability
Many, if not all, of the most serious vulnerabilities affecting banking apps have to do with the architecture of the apps in a bank ecosystem and the distributed nature of their various elements. An app is an autonomous piece of software. Most of the time it connects to the bank’s back end systems through standards-based Application Programming Interfaces (APIs).
The open, universal connectivity inherent in these APIs is great for developers, but it creates security problems that traditional IT security measures such as firewalls, endpoint security tools and WAFs can’t solve.
For example, mobile banking apps and APIs create encrypted, machine-to-machine interactions on the network. The common practice of creating rogue APIs, called shadow APIs, won’t show up as a compromised endpoint. As a result, the attacker can mask him or herself and appear to be an approved user. Network filters won’t catch them.
Who Owns the App Risk?
A further complicating factor in securing banking apps stems from their divided ownership. With traditional banking software, there are usually two owners, both of whom work for the bank, and an external owner.
Outside of banking, traditionally a Line of Business (LOB) manager is responsible for defining the software’s requirements. A development team builds it and an IT ops team deploys it. In contrast, most mobile banking apps have a LOB owner, an IT department owner and at least one external entity that develops the app and manages its APIs.
This split inside-outside ownership is problematic for a range of reasons. At a basic level, any time three owners in two or more entities share responsibility for security, there’s a strong possibility that something will get overlooked. Then, if there is an incident or a vulnerability discovered, there can be disagreements over who is supposed to fix the problem or the prioritization of the fix.
Preventing Banking App Breaches
Banks need to go beyond relying on network and device security to protect their APIs, apps and customers’ private data. Most banks are under pressure to adopt more robust security countermeasures for their apps at requisite speed, without the benefit of huge IT or SecOps teams.
However, new, automated security tools for apps and APIs make it possible to balance these competing requirements. Recommended practices to realize the biggest benefits and highest levels of security with these tools include:
- Protect apps with continuous scanning, vulnerability analysis and automated remediation, to prevent such hazards as data privacy issues within mobile (iOS and Android) applications. Automation can make up for a lack of staff with specialized skills. Continuous scanning enables SecOps teams to narrow the gap between the discovery of a security issue and its remediation.
- Participate in the app building and deployment process. This helps prevent issues before they happen. Regardless of who owns the app, all stakeholders should be involved in the app lifecycle. Security flaws can appear at transition points, such as the release of a new version of the banking app. In these moments, users can accidentally leave APIs exposed to malicious access and other threats.
- Get visibility into all relevant APIs and set alerts to discover shadow APIs. APIs need constant watching, e.g. finding authentication and encryption vulnerabilities in APIs based on their definitions and API specifications. Malicious actors can set up shadow APIs that steal user data by mimicking the bank’s real APIs.
- Go beyond annual or bi-annual audits and have access to security and compliance audit reporting on a continuous basis.
- Secure the open source and commercial Software Development Kits (SDKs) which the app vendor uses to build the app. This may involve the use of specialized toolkits that enable developers to apply secure design principles to open source code.
It is critically important to improve the security of banking apps. Getting there involves solving the apps’ structural weaknesses by securing the app development process and the connecting APIs. This means bringing people from different organizations into a cooperative mode of working, and deploying the latest security tools for continuous monitoring and rapid remediation.
A common frustration for teams is that many security tools are limited in function and only allow security or IT or engineering to have insights into vulnerability management (VM). New, automated app and API security tools are growing beyond VM to address important discovery and data protection requirements.