How fast is the financial industry fixing its software security vulnerabilities?


Veracode released data revealing that the financial services industry ranks among the best for overall percentage of defects compared to other industries, but has one of the lowest fix rates for software security vulnerabilities. The industry is also in the middle of the pack for high-severity flaws, with 18% of applications containing a serious vulnerability, suggesting that financial firms should prioritize identifying and fixing the most important flaws. .

The findings were featured in the company’s annual State of Software Security Report v12, which analyzed 20 million scans of half a million applications across finance, technology, manufacturing, retail, healthcare and government. Among the six industries, the financial sector has the second-lowest proportion of applications containing security vulnerabilities, at 73%.

In last year’s report, industry had the lowest number of software security vulnerabilities of any industry, but was overtaken by manufacturing in this year’s study. Although it has fewer defaults overall, the financial services sector comes in last with technology and government for the lowest proportion of defects fixed.

“One of the benefits of serving the software development community for so many years is that Veracode can see changes in development practices across industries over time. We have found that even though financial services applications have fewer security breaches than last year, the industry lags other industries in remediation rate Our research has shown that security training can significantly improve remediation speeds, and that companies whose development teams had undergone hands-on training using real-world applications fixed flaws 35% faster than those without such training,” said Chris Eng, director of research at Veracode. .

Securing the Global Software Supply Chain

While there is undoubtedly still room for improvement in terms of vulnerability prevalence and patch rates, when financial services organizations patch vulnerabilities, they do so at a faster rate than most.

Eng said, “The US Executive Order on Cybersecurity, as well as mandates on security controls regarding the use of open source, such as GDPR and New York Department of Financial Services cybersecurity regulations , highlighted the importance of securing the software supply chain. Being a highly regulated industry may partly explain the financial industry’s relative speed in dealing with vulnerable libraries discovered through software composition analysis (SCA).

Flaws in third-party libraries discovered through SCA tend to persist longer for all industries, with 30% still unresolved after two years. However, when it comes to addressing open source vulnerabilities, the financial sector corrects at the same rate as other industries for the first year, but then picks up its pace to gain a month off the cross-industry average.

Although the financial industry outperforms most other industries in terms of remediation time for flaws discovered by dynamic, SCA and static, the study found that there is still ample room for continuous improvement when it comes to the number of days to resolve 50% of vulnerabilities—116 days for dynamic analysis, 385 days for SCA, and 288 days for static analysis.

With third-party components comprising up to 90% of an application’s codebase, analyzing early and often using a combination of test types reduces unplanned emergency remediation work and mitigates the risk of introducing third-party security vulnerabilities in the software.


Comments are closed.