The Importance of AppSec in Digital Banking and Fintech
As digital transformation gathers pace across the global financial sector, migration to cloud-based and app-based infrastructure and products becomes ever more commonplace. We recently spoke to Jeff Williams, CTO and Co-Founder at Contrast Security to find out why organisations need to pay more attention to application security than ever before.
Hi Jeff, thanks for speaking to us. First of all, for any of our readers who have not come across Contrast Security before, could you please give us a short intro into what you do and the services you provide?
Contrast Security is the leader in next-generation application security, embedding code analysis and runtime protection directly into software. Contrast’s patented deep security instrumentation completely disrupts traditional “outside-in” application security approaches with integrated, comprehensive observability that delivers highly accurate assessment and always-on protection of an entire application portfolio. This eliminates the need for disruptive scanning, expensive infrastructure workloads, and specialized security experts. The Contrast DevOps-Native AppSec Platform extends security from development through production by using telemetry to identify true vulnerabilities in runtime—accelerating development cycles, improving efficiencies and cost, and enabling rapid scale while protecting applications from known and unknown threats.
Given our audience comes solely from the financial sector, it’d be good to know the types of companies you work with in the space and the sorts of the projects you’ve worked on.
Contrast Security has worked with financial services organisations of all types around the world. Our customers include 10 of the top 25 financial institutions. Customers that have told their Contrast story include one of the top 10 banks in the world, financial data analytics platform provider Envestnet | Yodlee, point-of-sale lending platform GreenSky, and a large regional U.S. credit union.
Contrast’s financial customers tend to come to us with one or more of the following use cases:
● Eliminating noise: Improving the productivity of both development and security professionals by virtually eliminating false positives and providing real-time feedback when an issue does arise.
● Unleashing DevOps: Enabling developers to do their work without security-related interruptions against aggressive deadlines by making application testing continuous and in the background.
● Scaling AppSec: Contrast is a distributed solution, and continuously monitors and protects many thousands of applications in parallel, enabling teams to accelerate development, secure open source, and prevent exploits with a single platform.
As banks and fintechs move increasingly along their digital transformation journeys, they become ever more cloud-based and app-based. What does that mean in terms of their security?
As services become more cloud-based and application-based, the complexity of the architecture increases. As they move into multiple clouds, organisations find themselves with massive variations in hardware, software, and systems—with differing integrations and interoperability. This makes it extremely difficult to manage a migration to the cloud from a logistical perspective. It also makes it difficult to ensure application security: 66% of enterprises list “understanding application dependencies” as their number one migration challenge. At the same time, the percentage of data breaches linked to software vulnerabilities more than doubled to 43%. And shifting to the cloud does not eliminate complexity: 54% of applications in the cloud today were not designed for the cloud, and 55% of organisations have applications siloed in different clouds.
Most FIs and fintechs have migrated from on-premise to cloud based environments. Why should a review of application security need to go hand in hand with the process?
As discussed above, a migration of applications from on-premises to cloud-based services is a complex move. Software security should definitely be an integral part of strategic planning for the overall project—rather than adding it as an afterthought. Application security can be simplified dramatically when it’s built into the standard software platform, including vulnerability monitoring, open-source library analysis, attack detection, and runtime protection. The move to cloud is a unique opportunity to enhance your infrastructure and simplify application security.
Do you believe that the Covid-19 period will leave a lasting legacy in terms of the digitalisation of the banking and fintech sectors?
While the pandemic has prompted many organizations to dramatically slow overall spending and lay off employees, all indications are that COVID-19 may accelerate investment in digital transformation initiatives. A recent study by OpsRamp found that despite economic uncertainty due to COVID-19, 61% of IT and DevOps leaders expect to accelerate their digital transformation initiatives and projects—with 58% increasing spending.
As a result of this growth in applications and faster velocity per the modern software development life cycle, legacy AppSec that relies on capabilities such as line-by-line code scanning (static application security testing [SAST]) and black-box testing (dynamic application security testing [DAST]) simply cannot scale. As these AppSec models rely on signature-based engines to identify application vulnerabilities, they miss false negatives (unknown threats and zero-day attacks) that expose organisations to serious risks. They also incur large numbers of false positives that lead to alert fatigue, which when combined with pressure from C-suite leaders to place velocity and code releases over security, ratchet risks up further.
Clearly a data breach for a financial institution could result in significant financial and reputational damage – aside from countering this, what are the other tangible benefits of working with an application security provider like Contrast Security?
Contrast Security is devoted to keeping the world’s applications safe, exemplified by the Contrast Community Edition, the only DevOps-native AppSec platform that can be accessed for free. It enables organisations to move beyond traditional point-in-time, signature-based security approaches—without the requirement of an initial investment. The Contrast team also provides extensive resources to help developers, security professionals, and C-suite leaders come to a deeper understanding of AppSec.
Jeff Williams will present “Thousands of Apps vs. Thousands of Attacks – How to Secure Code at Enterprise Scale” at 4.15pm BST on Wednesday 15th July during FinTech Connect’s online digital transformation event, DX Connect.