Banking on IT

By Rémy Bertot, CTO, Passbolt

Banks are particularly vulnerable to cyber attacks for obvious reasons. Scammers have now built tools that automate the process to scale attacks that previously took a lot of human effort from the fraudster’s side, for example, intercepting one-time pins or one-time passwords (OTPs), achieving an 85% hit rate of people actually giving over OTPs to bots. A lot of early stage fintechs are struggling as they are in the process of creating a brand new financial instrument with their Venture Capital (VC) money and are not in the business of combating fraud, but the nature of trying to grow as quickly as possible means you want to have the lowest friction and checks in your onboarding process, which is causing them a lot of pain. It’s hard for a user or systems supervisor to know where to turn when it comes to how to best structure and operate password managers for teams and DevOps without threatening security or restricting workflow. That’s why we developed Passbolt, a 360 degree toolchain for password management.

In the meantime, digitalisation has happened (post COVID) and developers and digital teams have now taken over the world. For them, the tooling matters. These Agile/DevOps teams just needed better UI/UX (User Interface; User Experience) control, collaboration, integration and data privacy.

The backbone of banking security

DevOps are highly technical teams that have become the backbone of modern businesses and who share the same values and IT practices as the IT team, but it also includes anyone involved in the digital processes, ie. Agile teams located throughout the business. Now, with this shift to agile business practices, these have become strong teams with the tooling they use for Open Source Software and, with OSS, their adoption practices have completely changed. They will debate publicly about what works and what doesn’t work.

82% of modern businesses believe that OSS (Open Source Software) is better for their infrastructure (Source: Redhat 2022, “The state of enterprise OS“). OSS is a growing model that drives market adoption. 84% of those surveyed in financial services said they believed that OSS is as secure or more secure than proprietary software.

For modern businesses, when it comes to security, traditional password managers under-deliver. But enterprise solutions do not have a fit with DevOps teams, either, as the cost of acquisition is very large e.g. $1M a year, and the production cycle is much longer – one to two years – as their solutions are complex (similar to something like the cycle for SAP). Banking industry operators cannot afford to delay locking down their security, yet still need to remain fleet of foot.

DevOps need flexibility

Passbolt is unique because it provides a 360 degree toolchain that addresses the pain points of all the DevOps personas. and helps DevOps teams achieve their security issues within an agile business.

In 2022, DevOps teams are most concerned about how to effectively integrate security into the software supply chain. High-profile supply chain attacks of the last two years have intensified the focus on security: the alternative is leaving the supply chains even more vulnerable to attacks.

No one wants a repeat of the SolarWinds hack which spread to their customers via a software update, or the Colonial Pipeline attack: the nightmare scenario is that a Colonial Pipeline-style ransomware attack disrupts major banks or even financial markets – and the U.S. government will require many organisations to take the necessary action to ensure that further attacks of this scale cannot occur. Denmark’s central bank was compromised in the global SolarWinds hacking operation, leaving a “backdoor” to its network open for seven months, for example. Securing the DevOps process should be the first port of call for any bank looking to prevent supply chain attacks.

Building security into the banking software development process prevents supply chain attacks because developers remove the vulnerabilities before an application goes to production. Further, by continuously reviewing code during the build phase, organisations reduce costs.

Google Cloud’s DevOps Research and Assessment (DORA) team concluded in its “Accelerate State of DevOps 2021 Report” that “development teams that embrace security also see significant value driven to the business”. Teams that integrate security practices throughout their development process are 1.6 times more likely to meet or exceed their organisational goals, according to the report.

Taking care of banking security

In the new world of the decentralised Web (Web 3.0), Passbolt takes more care than most in the security aspect: the private key architecture is very strong, as is authentication. The main USP is the collaborative layer – in order for this to work securely, you need to have a granular system that will help you organise in folders, groups and/or tags. A private key is installed within the browser extension and all the communication with the server is encrypted. The tool is end-to-end encrypted, whereas with other password managers (built pre-COVID and built originally for consumer use) passwords are simply held in a vault which anyone can access. 86% of IT leaders working in financial services who were surveyed, found that enterprise open source solutions were important to addressing their COVID-related challenges. This, clearly, makes the system far more vulnerable to hacking. With Passbolt (built for DevOps and enterprises) the private key is in the browser and installed on the server: the user has full control of their data and their own private key with whom the key was shared; it is impossible to see it otherwise – this is similar to any blockchain or crypto which will also use a private key.

Fundamental protections (using strong passwords, applying software patches in a timely manner, and implementing multi-factor authentication) are an essential part of deploying best practices in DevOps for banking applications, these should include:

• Applying common controls for security and compliance
• Automating common controls and CI/CD (continuous integration/continuous deployment)
• Applying zero-trust principles
• Inventory all tools and access, including infrastructure as code
• Consider unconventional scans to find unconventional vulnerabilities
• Secure containers (packages of software that contain all of the necessary elements to run in any environment) and orchestrators (automating the tasks needed to manage connections and operations of workloads on private and public clouds).