Skip to main content
Application Security padlock icon
Last Updated Aug 22, 2022 —

How financial services firms reduce the risk of data breaches with application security

How to Build a Blueprint
for Secure Software

Join Daniel Shugrue, Lead Product Marketer at Digital.ai, and Cole Herzog, Engineering Manager at Digital.ai for a webinar where they’ll show how a “Protection Blueprint” secures applications

Watch now!
Application Security

As businesses accelerate their digital transformation–and as consumers demand digital, always-on access–the statistics continue to pile up: 

The financial services industry, which includes banking, insurance, and investment firms, is an obvious target of cyber criminals. Makes sense, that’s where the money resides. But as financial services expand their digital footprint, their exposure to threat actors grows immensely. This expansion has been driven by digital transformation, customer demand for convenience, and the COVID pandemic. More customers use mobile and web apps to access their accounts every day. And this has significantly increased the attack surface. 

Meanwhile, Agile has shortened development times and DevOps has shortened deployment times from weeks to days, or in some cases even down to hours. This enables financial institutions to speed up deployment of new/updated applications. Include the use of open-source code, and you add more complexity to the security of the apps. 

The result? From Contrast Security’s 2021 State of Application Security in Financial Services Report: 

  • 67% of surveyed firms have 20 or more serious vulnerabilities per application in development 

  • 48% have 10 or more serious vulnerabilities per application in production 

  • 98% have experienced at least three successful application exploits in the past year 

Developers are under the gun to deliver new features and functions in a continuous stream. Their focus is on these new items, not on security. Thus, security falls to the right, later in the development cycle. 

We asked our VP of Product, Mike Woodard, to comment on this scenario and here’s what he said:

"So, your team is building a new public-facing app. They've been running the scanning tools that someone in your organization selected to make sure you're not shipping a dumpster fire waiting to be lit (Painful, but necessary). The backend production environment is operational and network security tools are in place (More overhead and delay). You can provision users and your testing shows that everything is working as expected. Marketing has been doing its part and the world is waiting for you to open the floodgates. You are on the verge of the payoff you've been waiting for–or so you think. 

Because of the potential number of users and preliminary market interest, you've attracted the attention of some people in the shadows. For a fraction of what you've spent, they are also hoping to cash in on your efforts. They've been working hard lately, pouring over your most recent beta version and looking for weaknesses. And since your app works, they have an example of how the interaction with your backend servers is supposed to operate (They appreciate that, by the way). After disassembling code, analyzing control flow, and watching what happens when unusual inputs are supplied, they are looking forward to the launch date just as much as you are.

Apps in the wild are exposed to threat actors

The issue that will lead to your future problems is that you have no idea what they are doing. You don't realize that they are now very familiar with the workings of your app. And they can be patient as they refine their attack, because the minor failures they cause are lost in the noise of all the other users putting your app through its happy-path paces. So, they methodically tweak, tweak, tweak until their exploit emerges like a statue from the marble. With it, the loss of payment information, PII, and IP begins (Sorry to ruin your day–it's not personal). 

If you've not experienced the nightmare scenario yet, rewind the scenario and add some protection mechanisms. Add obfuscation to make analysis harder. Add anti-tamper mechanisms to automatically detect and react to non-standard environments and modifications. Add reporting and monitoring capabilities so that you can see what they're doing as they're doing it–and so that you can respond by shoring up weaknesses.

Putting the 'Sec' In 'DevSecOps'

We all wish such measures were not necessary, but Pandora's box is open, and we can't undo that. We also used to not need car alarms or two-factor authentication, but times have changed, and we all need to keep up or suffer the consequences. 

I like to tell myself and others, ‘Reality is your friend!’ What you hope the world is like is not going to help you make good decisions. So, take a realistic look at your world and decide if you can accept your current level of risk or not. If not, then do your own tweaking until you get to a situation with a better likely outcome.”

No financial services firm wants to find themselves in the headlines for the wrong reason, especially if it is avoidable. Learn how to protect your apps without impacting your release schedule. Here’s how: 

 

Visit our solution page to learn more. 

More from the Blog

View more
Jan 18, 2022

Be aware or beware: Easily insert security into your mobile apps

Application Security
COVID-19 has quickly pushed companies over the technological tipping p ...
Read More
May 31, 2022

How automated/continuous testing solutions help create more secure mobile apps

Continuous Testing
Mobile app security risks climb as remote work increases Security o ...
Read More
Feb 05, 2020

Financial Mobile App Vulnerability FAQs

Application Security
  Last year research by Aite Group examined mobile application secu ...
Read More
Apr 02, 2019

Vulnerability Epidemic in Financial Mobile Apps [Infographic]

Application Security
Arxan, now Digital.ai, commissioned research by Aite Group to examine ...
Read More
Contact Us