Story image

Global banks fail to keep up with application security

15 Jul 2019
Twitter
Facebook

Many of the world’s largest banks are the cybersecurity equivalent of swiss cheese, with many that would fail GDPR compliance tests – an oversight that puts banks and their customers at risk.

A recent ImmuniWeb study on 100 banks across the world – including 36 in Asia and five in Australia – found that the organisations show an alarming lack of security across their banking applications.

In one case, the study found that one bank had an unpatched vulnerability that has existed since at least 2011 – suggesting that banks need to do more to ensure their systems are safe.
The study analysed three different aspects of bank security: compliance, security vulnerabilities, and website security.

Compliance: 

•    85 e-banking web application failed a GDPR compliance test
•    49 e-banking web applications failed a PCI DSS compliance test 
•    25 e-banking web applications are not protected by a web application firewall. 

Security vulnerabilities: 

•    Seven e-banking web applications contain known and exploitable vulnerabilities 
•    The oldest unpatched vulnerability is known and publicly disclosed since 2011 
•    92% of mobile banking applications contain at least one medium-risk security vulnerability 
•    100% of all banks have security vulnerabilities or issues related to forgotten subdomains

Website security 

Only three main websites out of 100 had the highest grades ''A+'' both for SSL encryption and website security:  Credit Suisse (Switzerland), Danske Banke (Denmark), and Handelsbanken (Sweden).

Given the non-intrusive nature of the research and formidable resources available to the top banks studied in the research, the findings urge financial institutions to revise their existing approaches to application security,” comments ImmuniWeb CEO and founder Ilia Kolochenko. 

“Most of the data breaches involve or start with insecure web and mobile apps that too frequently underprioritised by future victims. Unfortunately, most cybersecurity teams today carry a burdensome duty to meet compliance and regulatory requirements as the first priority and simply lack available resources to tackle other essential tasks. Eventually, they become low hanging fruits for cybercriminals.''

ImmuniWeb says that banks should:

1. Consider implementing Gartner’s CARTA strategy to enhance cybersecurity strategy.

2. Maintain a holistic and up-to-date inventory of assets located in the external attack surface, identify all software and its components used, run actionable security scoring on it to enable threat-aware and risk-based remediation.

3. Implement continuous security monitoring of external attack surfaces, test new code before and after deployment to production, start implementing DevSecOps approach to application security.

4. Consider leveraging machine learning and AI capacities to handle time-consuming and routine processes, freeing up security personnel for more important tasks.