Veracode, a global provider of application security testing solutions, released data revealing that the financial services industry ranks among the best in terms of overall flaw percentage when compared to other industries, but has one of the lowest fix rates for software security flaws. The sector also ranks in the middle of the pack for high-severity flaws, with 18% of applications containing a serious vulnerability, implying that financial firms should prioritize identifying and remediating the flaws that matter the most.
The findings were detailed in the company’s annual State of Software Security report v12, which examined 20 million scans across 500,000 applications in the financial, technology, manufacturing, retail, healthcare, and government sectors. The financial sector has the second-lowest proportion of applications with security flaws among the six industries, at 73 percent. In last year’s report, the industry had the lowest number of software security flaws across all sectors, but in this year’s study, manufacturing has surpassed it. Despite having fewer flaws overall, the financial services sector is tied for last place with technology and government in terms of the proportion of flaws fixed.
“One of the advantages of serving the software development community for so many years is that Veracode can see changes in development practices across industries over time. We found that while financial services applications have fewer security flaws than last year, the sector lags behind other industries when it comes to fix rate. Our research showed that security training can significantly improve remediation speeds, and that companies whose development teams had completed hands-on training using real-life applications fixed flaws 35 percent faster than those without such training,” said Chris Eng, Chief Research Officer at Veracode.
While there is still room for improvement in terms of flaw prevalence and remediation rates, financial services organizations fix vulnerabilities at a faster rate than most.
Eng said, “The U.S. Executive Order on Cybersecurity, alongside mandates on security controls regarding open-source usage, such as GDPR and the New York Department of Financial Services Cybersecurity Regulations, has highlighted the importance of securing the software supply chain. Being a highly regulated sector may go some way to explain the financial industry’s relative speed in addressing vulnerable libraries discovered through software composition analysis (SCA).”
Flaws in third-party libraries discovered through SCA tend to persist for longer in all industries, with 30% still unresolved after two years. When it comes to addressing open-source vulnerabilities, the finance sector remediates at the same rate as other industries for the first year, but then accelerates to gain a month on the overall average.
Although the finance sector outperforms most other industries in terms of fix times for flaws discovered by dynamic, SCA, and static analysis, the study found that there is still plenty of room for improvement when it comes to the number of days it takes to resolve 50% of flaws—116 days for dynamic analysis, 385 days for SCA, and 288 days for static analysis. With third-party components accounting for up to 90% of an application’s codebase, scanning early and frequently with a mix of testing types reduces unplanned emergency remediation work and mitigates the risk of introducing third-party security flaws into software.