In a recent report by Veracode, it has been revealed that security debt is a prevalent issue in the financial services sector, with a staggering 76% of organizations found to have unfixed flaws lingering for over a year. This alarming statistic highlights the significant cybersecurity risks that these organizations and their customers are exposed to if these issues are not promptly addressed.
The financial industry, known for being a prime target for cyber threats, faces an average cost of $6.08 million for a data breach, making it imperative for organizations to prioritize their security measures. With threat actors utilizing AI-based tools to exploit software vulnerabilities, the sector is under constant pressure to enhance its security infrastructure while keeping up with evolving regulations and customer expectations.
Chris Wysopal, Chief Security Evangelist at Veracode, emphasized the urgency for financial institutions to tackle security debt, stating that leaving vulnerabilities unaddressed for extended periods allows threat actors to exploit them at an alarming rate. The research conducted by Veracode also revealed that 40% of all applications in the financial sector carry security debt, indicating a significant area of vulnerability that needs attention.
One of the key findings of the report is the need for organizations to address security debt in both first-party and third-party code. While 84% of security debt affects first-party code, a significant portion of critical security debt (78.6%) stems from third-party dependencies, underscoring the importance of securing the open-source ecosystem.
The analysis further delves into remediation timelines within the financial services sector, noting that organizations tend to fix first-party flaws quicker than third-party flaws. Despite this, a significant portion of third-party flaws (52%) eventually turn into security debt, highlighting the challenges posed by managing vulnerabilities in dependencies.
The rise of supply chain attacks targeting the financial services sector has led to an increase in cybersecurity regulations with a focus on software security. Regulatory frameworks such as ISO 20022, PCI DSS, NIS2, and DORA emphasize the importance of preventing vulnerabilities in applications, pushing organizations to address security debt and update their remediation strategies to stay compliant.
To mitigate the risks associated with security debt, organizations are advised to prioritize the remediation of critical flaws. By focusing on the most dangerous vulnerabilities first, financial entities can effectively reduce their exposure to cyber threats and subsequently address other security issues in a systematic manner.
In conclusion, Wysopal urged financial institutions to stay vigilant against evolving cybersecurity threats by adopting AI-powered tools for timely vulnerability detection and remediation. With the increasing sophistication of cyber attacks, it is crucial for the financial services sector to prioritize security debt reduction to safeguard their assets and maintain regulatory compliance in an ever-evolving threat landscape.