Many financial institutions have a debt problem. Not a monetarily but a software security one. Veracode’s State of Software Security 2024 study reports that over three out of four (76%) financial organizations have security debt, which is the highest of any sector. Security Debt is defined as software flaws that remain within an organization for more than a year. High-severity vulnerabilities that persist for over a year are classified as critical security debt. The financial sector is also the leader here, with 50% having unpatched critical software errors.
Allowing software vulnerabilities to linger is problematic for all organizations, but it is more so when they occur in the highly regulated banking industry. Financial institutions are a high-value target for cybercriminals. Breaches and other incidents are extremely damaging to customers, individuals, and companies and can harm economic stability. For example, disruptions to payment systems and mechanisms can impact many types of businesses.
The Problem of Software Vulnerabilities
Software is the instructions that perform operations and tasks. It is required for IT operations. Software does what it is supposed to do, but as a result of coding errors, design defects, or unexpected interaction between components, software can also act in ways it is not intended to. These unexpected uses, better known as vulnerabilities, can be exploited by threat actors to gain unauthorized access, execute malicious code, or disrupt operations. Vulnerabilities need to be closed as soon as possible. The longer they persist, the greater the risk and the security debt grows larger.
The easiest way to attack an organization is to exploit un-remediated known vulnerabilities. The vulnerable, unpatched software is a primary attack vector for ransomware exploits, with 32% of attacks as a result of unpatched vulnerability, according to the State of Ransomware 2024 report from Sophos.
How Open-Source Code Contributes to Security Debt
Software is built with components. Previously, organizations wrote their own code, but the need to move faster has pushed developers to incorporate open-source software into their programs. Less of the code within an application is owned and managed directly by an organization. Open-source usage is ubiquitous. Researchers estimate that 70-90% of any given software code contains open-source components.
The use of open source can expose organizations to risks they are not aware of. Veracode's report says that 84% of all flaws in financial organizations code is internally developed, however 78% of the critical security debt comes from third-party sources.
Vulnerabilities in open-source software have led to breaches. An impactful one was the 2017 Equifax data breach that saw the personal information of up to 143 million people exposed. The attackers, in this case, exploited a flaw in the Apache Struts framework that had a patch available. Equifax had not yet patched that vulnerability months after it was released. Apache Struts is open-source software used to build enterprise-ready web applications.
Why Security Debt Persists
Security debt accumulates when organizations do not apply the appropriate remediation. There are many reasons for this that range from the strain on IT resources and budget, lack of prioritization given to security when compared to other urgent business needs, large applications with complex code and many dependencies, and not fully understanding all of the third-party software included within an application. These prevent visibility into possible vulnerabilities. This is exactly the issue Equifax had, as they did not notice they were running vulnerable software. Amit Zimerman, Co-Founder and Chief Product officer at Oasis Security, adds that "a key issue is the extended remediation timeline for third-party flaws, which poses a growing risk as these vulnerabilities can remain unaddressed for prolonged periods.”
Reducing Security Debt
It is possible to close security debt, but "financial institutions must proactively identify and remediate vulnerabilities before they escalate into security debt. This demands technology that automatically identifies vulnerabilities, scans code, flags high-risk dependencies, and prioritizes remediation efforts across the entire software supply chain.", according to Piyush Pandey, CEO at Pathlock.
As the complexity of software components grows and with the extensive use of open-source libraries, organizations must have visibility into the potential dependencies within the code and take responsibility for determining risks associated with the code and addressing vulnerabilities based on their potential impact. Organizations must create a Software Bill of Materials (SBOM), which is "a nested inventory, a list of ingredients that make up software components.” Using the SBOM allows software teams to understand what applications rely on and identify vulnerabilities that could impact them.
Retiring security debt requires the use of security tools designed for the software development process. Application Security Posture Management (ASPM) is an emerging activity that manages and enhances the security of applications. ASPM has a set of products that combines continuous assessment, automated vulnerability management, and centralized policy enforcement. Other products provide remediation capabilities that maintain sets of patches for quick remediation with minimal effort. Organizations should also look at Artificial Intelligence (AI) enabled solutions. This is required to match the actions of attackers. A March 2024 report from the U.S. Treasury Department stated that threat actors are themselves using AI-based tools to discover and exploit vulnerabilities.
Building a Stronger Security Foundation
Financial institutions are the proverbial tip of the spear when it comes to security debt. They are a prime target of attackers of all types. When they experience cyber incidents, many individuals and organizations are impacted. The costs of such events are considerable. They have an obligation to reduce their security debt. It is possible.
The first step is making the decision to fix vulnerabilities, especially those that are most critical. The second step is to incorporate a security mindset into the software development lifecycle process. The third step is to incorporate an SBOM to gain full visibility of the third-party software used within the organization. The final component is to utilize the tools available to discover and remediate vulnerabilities. The long-term benefit is worth any short-term costs.
Veracode’s chief security evangelist and co-founder, Chris Wysopal, urges “financial institutions to prioritize timely security debt reduction by adopting AI-powered remediation and application risk management tools that can detect, prioritize, and fix vulnerabilities within seconds.”
