According to our most recent State of Software Security Report, the financial services industry has fewer security flaws in its applications than last year. Great news, right?
That said, the reduction in security flaws isn’t as significant as we would hope to see. The financial services industry has traditionally been recognized for having the least amount of security flaws. This year, however, the manufacturing industry has dethroned financial services with an average of 72 percent of applications containing a security flaw.
Financial services organizations also have more high-severity flaws, 18 percent, and a slower fix rate, 22 percent, than most industries.
But take a look at the time it takes the financial services industry to remediate flaws found by static analysis (SAST), dynamic analysis (DAST), and software composition analysis (SCA). When security flaws are found, financial organizations move faster than most to make sure they’re remediated. In fact, when it comes to fixing security flaws discovered by SCA, after the first year, the financial services industry addresses vulnerable libraries about a month faster than the cross-industry average.
There are several reasons that the financial services industry might prioritize open-source flaws. Industry regulations like the General Data Protection Regulation (GDPR) and the New York State Department of Financial Services (NYSDFS) mandate security controls on open-source usage. It could also be the result of security requirements put into place by The White House Executive Order on Improving the Nation’s Cybersecurity. Regardless, the financial services industry should keep up their diligent work with flaw remediation and work to improve the number of flaws introduced into its codebase.
To learn more about the State of Software Security Report and how financial services organizations stack up against other industries, please check out our infosheet, State of Software Security Report: Financial Services. You can also check out a video of the findings here.