A new Dynatrace report highlights key vulnerability management challenges for banks and insurers.
With AWS Summit taking place July 12 in New York City, Dynatrace will release new data from its global chief information security officer (CISO) survey, revealing the state of vulnerability management in the financial services sector.
“The 2022 CISO Research Report: Financial Services” is based on the responses of 325 IT professionals within banks, insurers, and financial services providers. It reveals the majority of organizations have adopted multicloud environments, cloud-native architectures, and open source code libraries to support efforts to deliver new digital solutions to customers.
The data indicates, however, that organizations’ adoption of these approaches has created a significant challenge for financial services organizations in managing and reducing enterprise risk as they innovate.
In total, 75% of CISOs within financial services organizations say vulnerability management has become more difficult as the need to accelerate digital transformation has increased.
Layered financial services security strategies are not enough
The rise of modern cloud environments has created a challenge for IT, development, and security teams within the financial services sector.
While microservices, Kubernetes, and serverless computing deliver significant benefits for digital banking innovation, these architectures also make application security more complex.
To overcome this, 58% of financial services organizations have a layered cybersecurity posture, supported by five or more different types of security solutions.
However, even with this robust, layered approach to cybersecurity, the Dynatrace data reveals more than 75% of CISOs in the financial services sector believe their current security posture is not strong enough to keep vulnerabilities from entering production.
“The financial services industry is experiencing significant change, driven by evolving customer demands and intense competition from digital-first providers,” says Amit Shah, Director of Product Marketing, Application Security at Dynatrace. “However, this growing pressure to innovate faster is creating more risk of vulnerabilities escaping into production.
“It’s now clear that current approaches to layered security are not enough, as teams simply can’t access all of the context they need to prevent every vulnerability from escaping. As a result, it’s increasingly difficult for them to manage the security of their applications, which could leave sensitive financial data and critical transactions at risk.”
In addition to the challenges created by cloud-native environments, 49% of CISOs said the speed of software delivery makes it easier for vulnerabilities to re-enter production.
According to the research, just 6% of financial services organizations have real-time visibility into runtime vulnerabilities.
The impact of open source code on runtime application security
Many financial services organizations are already using other methods, such as open source code, to speed up or assist transformation efforts. These approaches, however, can also create security issues, with vulnerabilities regularly emerging in third-party software libraries.
According to the Dynatrace data, just 31% of security teams can access a fully accurate, continuously updated report of every application and code library running in production in real time. Additionally, 29% of CISOs said they do not always know which third-party code libraries they have in production at any given time.
The recent discoveries of the Log4Shell and Spring4Shell vulnerabilities have highlighted the impact of susceptible third-party code.
The Dynatrace study finds 96% of financial services organizations faced risk exposure from Log4Shell, with over a third saying their risk was “high” or “severe.”
In many cases, security solutions that detect vulnerabilities lack the runtime context needed to enable financial services teams to differentiate a minor flaw from a severe risk.
As a result, many of the alerts they receive are low risk, and the sheer volume makes it difficult for security teams to distinguish the serious issues from the relatively harmless ones. Data indicates teams receive, on average, more than 2,200 alerts to potential vulnerabilities monthly, making it nearly impossible to see the forest for the trees.
The frustration for CISOs is clear, with 75% of respondents confirming that most of their security alerts and vulnerabilities are false positives that don’t require action because they are not true exposures.
Promoting DevSecOps culture and IT automation
In this era of fast-paced digital transformation, financial services organizations must treat security as a shared issue across the business — which calls for a convergence with observability.
Instituting a development, security, and operations-merged (DevSecOps) culture is an important step in achieving this. According to the Dynatrace data, only 37% of financial services organizations have a mature DevSecOps culture, where the majority of teams have integrated security practices across the software development lifecycle (SDLC).
Implementing a DevSecOps practice is key to converging observability. It provides development, operations, and security teams with the context needed to understand how their applications are connected and where the vulnerabilities are.
Dynatrace data finds 82% of CISOs in the financial services sector agree security must be a shared responsibility across the software delivery lifecycle, from development to production.
“If security becomes a shared responsibility,” Shah says, “and organizations converge observability and security, they can accelerate risk management and incident response by giving teams the context needed to make more effective decisions.
“To be truly effective, financial services organizations should look for solutions that have AI and automation capabilities at their core. These solutions empower teams across banks and insurers to quickly identify and prioritize vulnerabilities at runtime, block attacks in real time, and remediate software flaws before they can be used to exploit sensitive financial data and transactions.”