Across the globe, the financial services sector is affected by increased security regulations. To name a few, there is the United States’ Executive Order on Improving the Nation’s Cybersecurity, the European Union’s NIS2 Directive, the SEC’s new rules on disclosures, and ISO 20022. With so much pressure on the sector, Veracode is proud to present new data, looking specifically at organizations in this industry, that reveals the top drivers security teams can employ to measurably reduce their software security risk.
"The security performance of financial applications generally outperforms other industries, with automation, targeted security training, and scanning via Application Programming Interface (API) contributing to a year-over-year reduction in the percentage of applications containing flaws,” shared our press release coverage of the research on 25 October, 2023.
Let’s dissect this research from the State of Software Security 2023 in Financial Services in more detail.
Data on Dropping Probability of Security Flaw Introduction
The State of Software 2023 reveals that 32 percent of applications contain security flaws at the first scan, and then this percentage drops and stabilizes for a few years before steadily increasing out to the 5-year mark up to 70%. Applications grow by about 40 percent year on year irrespective of their original size, and this contributes to that jump in applications containing security flaws over time.
Before looking at what reduces the probability that flaws are introduced during an application’s life, let’s look at what the base probability is. The research shows that, in any given month, there is a 27 percent chance that new flaws will be introduced in an application.
In Figure 1: Factors Influencing the Probability of Flaw Introduction below, which compares Financial Services Applications to All Applications, it shows the elements that impact the base probability and the percent reduction or increase in the amount of flaws being introduced by including that element.
Looking into this data, the report shares: “We see that the Financial Services development teams leveraging scanning via API reduce the chance of flaw introduction per month by 2.9%. That is almost a percent better than non-Financials and given that the base chance is 27% that’s a significant reduction. The next difference is the benefit of security training on the probability of flaw introduction... These two (API-launched scanning and training) stand out and combined drop the base probability of flaw introduction down to less than 22%.”
Given these results, scanning via API and security training pay off big time down the road. As applications grow in size, it will be less likely they accumulate security debt and damage your security posture. Let’s explore these two elements in greater detail.
Exploring API-launched Scanning and Its Impact
Let’s explore the most impactful element in dropping the probability of flaw introduction: API-launched scanning. Don’t get this confused with the notion of scanning to secure your APIs. API-launched scanning, or scanning via API, means using Veracode APIs to automate and scale your scanning.
“Scanning via API is a rough measure of maturity. Teams that integrate scanning via API likely have more automation and control over the development pipeline,” says the report. If you need help with getting to a place where development teams are scanning via API, talk to a security expert at Veracode who can give you specific advice for your situation.
Exploring Interactive Security Training and Its Impact
The trainings referenced in the second most impactful element for dropping security flaw introduction (10 trainings completed) are part of Security Labs. These are not your ordinary, run-of-the-mill security training courses. They are a sandbox for developers to learn about vulnerabilities and security in an interactive way and all in real time.
Developer adoption of security tools and training is a vital part of improving security posture, which can often be difficult. “Veracode helps open up the eyes of our engineers so they can see that it’s not just about writing code, it’s writing secure code,” said a member of Azalea Health’s quality assurance team.
Give our free trial of Security Labs a spin to see how we can help your development teams adopt secure coding practices (without boring them to tears).