Veracode, a leading provider of application security testing (AST) solutions, has released findings from its State of Software Security (SOSS) Volume 10 report showing the finance industry fixes 76% of flaws in its software, well above the average 56% across all industries.
Yet the report also found financial services institutions were the second slowest industry, only behind healthcare, to remediate software flaws, taking over two months (67 days) on average.
The report studied levels of security debt, defined as the amount of unaddressed flaws that accumulate in software over time, across the financial services, government and education, healthcare, infrastructure, manufacturing, retail and technology industries.
Paul Farrington, Chief Technology Officer, EMEA at Veracode, said: “The financial services sector in particular has undergone rapid Digital Transformation, leaving many large financial institutions with a hotchpotch of new and legacy systems. This has led to a vast amount of security issues, which is particularly precarious in such a heavily regulated industry that stores a wealth of personal data.
“To overcome these challenges, financial services organisations have had to up-skill quickly and over the past 10 years we’ve seen a vast improvement in the overall state of application security within the industry.
“In saying that, the report also shows there is still a way to go in reducing the growing security debt that financial organisations carry. Like credit card debt, even carrying a small balance forward on a recurring basis can quickly leave you in the hole.”
While the financial services industry does not carry the highest amount of security debt, one third of the software (36%) used by financial firms has high-risk flaws. Information leakage (66%), cryptographic issues (61%) and code quality (58%) are the most prevalent flaw categories found within the sector.
Over the last two years, Veracode’s research into the state of software security has uncovered strong evidence that practices in keeping with a DevSecOps approach yield substantial benefits to development teams that employ them. In Vol. 9, the team discovered that the most active DevSecOps programmes fix flaws more than 11 times faster than the typical organisation.
The most recent SOSS, which analysed more than 85,000 applications across more than 2,300 companies worldwide, found that teams scanning applications most frequently carry about five times less security debt than infrequent scanners. But organisations that only focus on fixing new findings while neglecting ageing flaws can expect increasing security debt.