The financial services industry, which includes banking, insurance, and investment firms, is an obvious target of cyber criminals. Makes sense, that’s where the money resides. But as financial services expand their digital footprint, their exposure to threat actors grows immensely. This expansion has been driven by digital transformation, customer demand for convenience, and the COVID pandemic. More customers use mobile and web apps to access their accounts every day. And this has significantly increased the attack surface.
Meanwhile, Agile has shortened development times and DevOps has shortened deployment times from weeks to days, or in some cases even down to hours. This enables financial institutions to speed up deployment of new/updated applications. Include the use of open-source code, and you add more complexity to the security of the apps.
67% of surveyed firms have 20 or more serious vulnerabilities per application in development
48% have 10 or more serious vulnerabilities per application in production
98% have experienced at least three successful application exploits in the past year
Developers are under the gun to deliver new features and functions in a continuous stream. Their focus is on these new items, not on security. Thus, security falls to the right, later in the development cycle.
We asked our VP of Product, Mike Woodard, to comment on this scenario and here’s what he said:
“So, your team is building a new public-facing app. They’ve been running the scanning tools that someone in your organization selected to make sure you’re not shipping a dumpster fire waiting to be lit (Painful, but necessary). The backend production environment is operational and network security tools are in place (More overhead and delay). You can provision users and your testing shows that everything is working as expected. Marketing has been doing its part and the world is waiting for you to open the floodgates. You are on the verge of the payoff you’ve been waiting for–or so you think.
Because of the potential number of users and preliminary market interest, you’ve attracted the attention of some people in the shadows. For a fraction of what you’ve spent, they are also hoping to cash in on your efforts. They’ve been working hard lately, pouring over your most recent beta version and looking for weaknesses. And since your app works, they have an example of how the interaction with your backend servers is supposed to operate (They appreciate that, by the way). After disassembling code, analyzing control flow, and watching what happens when unusual inputs are supplied, they are looking forward to the launch date just as much as you are.
The issue that will lead to your future problems is that you have no idea what they are doing. You don’t realize that they are now very familiar with the workings of your app. And they can be patient as they refine their attack, because the minor failures they cause are lost in the noise of all the other users putting your app through its happy-path paces. So, they methodically tweak, tweak, tweak until their exploit emerges like a statue from the marble. With it, the loss of payment information, PII, and IP begins (Sorry to ruin your day–it’s not personal).
If you’ve not experienced the nightmare scenario yet, rewind the scenario and add some protection mechanisms. Add obfuscation to make analysis harder. Add anti-tamper mechanisms to automatically detect and react to non-standard environments and modifications. Add reporting and monitoring capabilities so that you can see what they’re doing as they’re doing it–and so that you can respond by shoring up weaknesses.
We all wish such measures were not necessary, but Pandora’s box is open, and we can’t undo that. We also used to not need car alarms or two-factor authentication, but times have changed, and we all need to keep up or suffer the consequences.
I like to tell myself and others, ‘Reality is your friend!’ What you hope the world is like is not going to help you make good decisions. So, take a realistic look at your world and decide if you can accept your current level of risk or not. If not, then do your own tweaking until you get to a situation with a better likely outcome.”
No financial services firm wants to find themselves in the headlines for the wrong reason, especially if it is avoidable. Learn how to protect your apps without impacting your release schedule. Here’s how: