Security by design in the fintech sector

Phil Bindley, managing director at The Bunker

In recent years, the fintech industry has placed an emphasis on strengthening its defences against evolving cyber threats as sensitive data becomes more at risk to willing cyber criminals.

In fact, very recently, the World Economic Forum has led the creation of an industry consortium dedicated to improving cyber security in the fintech sector. These are positive steps, but it is worth bearing in mind that embedding security in everything from the get-go will help the cause even further.

One of the most debated areas in the software development arena is the importance of embedded security testing within the Software Development Life Cycle (SDLC). The juxtaposition of developing software in an agile manner and delivering the functionality and end user experience can create challenges, especially in the fintech sector where there are a lot of moving parts. However, if it is adopted successfully and balanced against a robust approach to security testing at all stages of the SDLC, this can result in code that delivers on both business and user requirements.

As data privacy and security becomes more paramount, fintech software developers need to invest in adopting a culture of security and realise the consequential benefits of doing so.

Balancing security with software development can be a tricky task –  the requirement to develop at pace and enrich financial applications is the primary goal of a development team. But driving the product to deliver the functionality and a user-friendly experience demanded by the consumer should also be a priority, while making sure you are one step ahead of the competition. Then there is also recognising the costs incurred to the business when development delays happen for whatever reason.

However, integrated and embedded security testing should not be seen as just a tick-box exercise – it is simply sound business practice. Not only that, but it also makes commercial sense.

Alert Logic’s 2017 Cloud Security Report revealed that 73% of attacks are directed towards the web application layer. With insecure coding practices being stated as one of, if not, the singular most reason for this chosen attack vector, it is paramount that software developers and vendors recognise the vital nature of this and take proactive steps towards addressing this issue.

Software development is a complex process with different teams responsible for developing certain facets of the application. The danger is that this can lead to doors being opened to security threats. To counter this, a holistic approach is required to ingrain a responsible and pragmatic approach to the continual testing of the application’s security.

A typical process would begin at concept, functional requirements and specifications, technical requirements and specifications, design, coding and testing. This is all well and good and will bring the product to market quickly.However, without having security built in from the beginning, there are a number of potential risks to the sensitive information contained within fintech applications and software that won’t be addressed.

Information security principles such as the General Data Protection Regulation and requirements specific to the sector, including PCIDSS need to be considered at the conceptual, functional and technical stages of the product development. Enterprise security architecture and product standards should then be taken into account at the design stage, and the software should then be coded using development standards, practices, libraries and coding examples. Testing plans which detail the scope, approach, resources and schedule of intended test activities should also show how to verify each security requirement at the point at which the software is implemented. Procedures that address integrating existing authentication, access controls, encryption and backup will also need to be thought about.

It can be seen as an onerous process and counter intuitive at the beginning,especially with the added layers of complexity, time and cost to the SDLC, but it is important to consider how having these controls in place could benefit your product and business in the long-run.

Phil Bindley, managing director at The Bunker

In recent years, the fintech industry has placed an emphasis on strengthening its defences against evolving cyber threats as sensitive data becomes more at risk to willing cyber criminals.

In fact, very recently, the World Economic Forum has led the creation of an industry consortium dedicated to improving cyber security in the fintech sector. These are positive steps, but it is worth bearing in mind that embedding security in everything from the get-go will help the cause even further.

One of the most debated areas in the software development arena is the importance of embedded security testing within the Software Development Life Cycle (SDLC). The juxtaposition of developing software in an agile manner and delivering the functionality and end user experience can create challenges, especially in the fintech sector where there are a lot of moving parts. However, if it is adopted successfully and balanced against a robust approach to security testing at all stages of the SDLC, this can result in code that delivers on both business and user requirements.

As data privacy and security becomes more paramount, fintech software developers need to invest in adopting a culture of security and realise the consequential benefits of doing so.

Balancing security with software development can be a tricky task –  the requirement to develop at pace and enrich financial applications is the primary goal of a development team. But driving the product to deliver the functionality and a user-friendly experience demanded by the consumer should also be a priority, while making sure you are one step ahead of the competition. Then there is also recognising the costs incurred to the business when development delays happen for whatever reason.

However, integrated and embedded security testing should not be seen as just a tick-box exercise – it is simply sound business practice. Not only that, but it also makes commercial sense.

Alert Logic’s 2017 Cloud Security Report revealed that 73% of attacks are directed towards the web application layer. With insecure coding practices being stated as one of, if not, the singular most reason for this chosen attack vector, it is paramount that software developers and vendors recognise the vital nature of this and take proactive steps towards addressing this issue.

Software development is a complex process with different teams responsible for developing certain facets of the application. The danger is that this can lead to doors being opened to security threats. To counter this, a holistic approach is required to ingrain a responsible and pragmatic approach to the continual testing of the application’s security.

A typical process would begin at concept, functional requirements and specifications, technical requirements and specifications, design, coding and testing. This is all well and good and will bring the product to market quickly.However, without having security built in from the beginning, there are a number of potential risks to the sensitive information contained within fintech applications and software that won’t be addressed.

Information security principles such as the General Data Protection Regulation and requirements specific to the sector, including PCIDSS need to be considered at the conceptual, functional and technical stages of the product development. Enterprise security architecture and product standards should then be taken into account at the design stage, and the software should then be coded using development standards, practices, libraries and coding examples. Testing plans which detail the scope, approach, resources and schedule of intended test activities should also show how to verify each security requirement at the point at which the software is implemented. Procedures that address integrating existing authentication, access controls, encryption and backup will also need to be thought about.

It can be seen as an onerous process and counter intuitive at the beginning,especially with the added layers of complexity, time and cost to the SDLC, but it is important to consider how having these controls in place could benefit your product and business in the long-run.