By Paul Farrington, CTO of EMEA at Veracode

The spread of COVID-19 resulted in unprecedented demand from businesses to host more of their applications in the cloud. A rapidly changing business landscape has accelerated the speed of digital transformation for many – a move which has the potential to usher in the future of financial services technology, but may also cause an increase in security debt found within the financial services industry. Security debt is defined as the amount of software flaws identified but left unresolved, and the longer those unresolved flaws linger, the less likely they are to be fixed.

Although financial services organisations invested in transformative solutions and cybersecurity measures to protect their data and networks, there are still some security challenges left unaddressed. In fact, one of the most prominent pain points within the industry stems from security debt. Each unresolved flaw in an application adds to an organisation’s risk exposure if it is not addressed. The financial services industry stands out compared with other industries in that it often has many more applications and is more advanced in software security testing, meaning there is a larger data set to analyse. According to our industry research, the sector has the highest amount of fixed flaws, yet the sector also tests the largest population of applications currently.

With the rise in new applications and increased potential to overcome ever-emerging risks, financial services businesses must be prepared to embrace modern, scalable cybersecurity practices and infrastructures. Put simply, the more secure the software which supports their digital transformation projects, the more likely it is that their applications will become a critical differentiator for customers.

Banks are paying the cost of having the highest security debt 

The IT infrastructures used in our banks are foundationally comprised of both legacy and modern applications, which require a specific skillset to handle the complexity of the infrastructure and code. But, as the number of new applications continues to grow as banks look to improve customer satisfaction, vulnerabilities will be found faster than they are being fixed. The recent Verizon Data Breach Investigations Report found web applications were part of more than 43 percent of breaches, more than double the amount from last year. A breach against a bank or financial firm due to an unresolved vulnerability in an application remains a very real threat and a reason the UK financial services industry should plan to pay off its security debt.

Our latest State of Software Security report (SoSS) revealed banks and other financial services firms have the best software fix rate, with 76% of flaws resolved – well above the average of 56% across all industries. Nonetheless, it is among the slowest to resolve flaws; the median time to resolve in the financial services is more than two months (67 days). Too often, the demands of accelerated development timelines mean applications are inadequately tested, if tested at all. Comparatively, the healthcare, retail, technology and government sectors all remediate flaws faster.

SaaS application security integrated into software development is saving banks billions

The heightened focus on digital transformation has put pressure on the on-premise programmes traditionally used in the financial services sector and, in turn, their application security testing tools are complex to manage remotely and difficult to scale. The industry’s ability to support software security needs when on-site support and implementation is required is especially difficult during a global pandemic. As a result, IT, development, and security teams benefit from a Software-as-a-Service-based (SaaS) approach to application security that allows for greater flexibility to scale and automated scanning while still delivering fast results that enable quick fixing.

The only way for businesses to compete with the current surge of digitalisation and the evolving threat landscape is via SaaS.

An effective example of this is OneSpan Inc. – a provider of trusted identities, e-signatures and secure transactions to banks. With customers including 60 of the top 100 global banks, OneSpan has adopted solutions in identity verification and authentication, fraud analysis, and mobile app security, and its customers rely on these solutions to scale digital transformation securely.

The organisation uses comprehensive software security analysis within a SaaS platform to integrate security into its software development lifecycle so development teams can scan software for vulnerabilities daily – a best practice for achieving DevSecOps. By implementing SaaS application security combined with modern secure coding practices, OneSpan’s software is saving banks and financial services billions in fraud by helping them protect against targeted cyber threats.

Security embedded into developer workstreams makes time for innovation

Organisations which provide their developers with the tools, training and speed to address vulnerabilities directly within their workstreams are not only more secure, but can also innovate at speed. When financial services use real-time scanning in a SaaS solution, they can create secure software faster whilst simultaneously mitigating risk and security debt. Undoubtedly, the businesses which excel at this will have an advantage when it comes to controlling and eliminating risk, paving the way for faster innovation against their competitors.