Poorly written code is leaving banks at greater risk of attack and poorly prepared for big changes in the financial sector due to come into effect early next year.
CAST, an organisation that reviews the quality of code for businesses, recently reviewed over 278 million lines of code and reveals that out of 1,388 applications, 1.3 million weaknesses were detected.
Financial Services organisations had the highest number of violations caused by coding mistakes and non-secure coding practices per thousand lines of code (KLOC). Telecommunications firms also fared poorly in the coding quality benchmarking exercise.
Bad coding and poor software quality have practical ramifications for the EU financial sector, by 13 January next year member states will have to implement the revised Payment Services Directive (PSD2) into their national regulations.
“A greater density of security weaknesses presents more opportunities for malicious actors to find vulnerabilities to exploit for unauthorised entry into systems,” Dr Bill Curtis, SVP and Chief Scientist at CAST Research Labs, told El Reg.
“Ramifications are the compromise of confidential customer information, malicious damage to systems, or worse, theft from accounts,” he added.
The financial sector has a greater Common Weakness Enumeration (CWE) density than other sector because of the need to support legacy systems, among other factors. Banks have been slower than other sectors in adopting modern coding tech, partly because of the need to support legacy apps written in Cobol but also because of complex coding environments.
Banks want to modernise and adopt more modular and compartmentalised modern code but this is far from straightforward. Just putting a Java or .Net wrapper on backend apps running on a mainframe doesn’t help.
Curtis explained: “Financial service firms have many older systems and in some cases have not spent the effort to upgrade them to modern security standards. They must dedicate effort to remediating security vulnerabilities, even as the business continues to demand more functionality and wants it prioritised over defect-fixing.”
The importance of following coding best practices is going to increase once the looming PSD2 for open banking regulations come into effect.
“Allowing multiple parties access to confidential customer information and funds will require greater software security than we currently see in financial services,” Curtis explained.
“Hackers are clever and the attack surface they can exploit will be exponentially expanded across multiple parties. Financial institutions will need a certification based on code analysis that ensures the systems gaining access to their accounts are secure and have eliminated known vulnerabilities.”
Companies tend to prioritise user experience at the expense of cybersecurity.
More generally, applications developed using Microsoft’s .NET have higher CWE densities and produce some of the poorest software quality overall. Java applications released more than six times per year have the highest CWE densities.
Applications between five and 10 years old have the greatest potential for security flaws. ®