Code vulnerabilities mean banks are leaving customers open to more outages

Outages at TSB and HSBC illustrate the problem: any bank attempting to simultaneous update and preserve their current IT infrastructure,  without downtimes or service disruption, faces a monumental task.  Now, Veracode’s latest State of Software Security report (SoSS) has revealed financial services is one of the slowest industries at addressing common vulnerabilities;  in turn this is leaving banks’ customers open to more outages through code vulnerabilities.

67% of current applications used by banks are at risk from information leakage attacks, which would fall foul of EU GDPR laws.

Indeed, it suggests, that bank’s systems are stuck in the 1980s.

The report found that financial services is one of the slowest industries to address common vulnerabilities found in software. In fact, financial services companies took 29 days to address a quarter of their vulnerabilities — and over a year — 573 days — to remediate all code vulnerabilities. Moreover, a notable 67% of current applications used by banks are at risk from information leakage attacks, which would fall foul of EU GDPR laws.

Quantum Cryptography: The next-generation of secure data transmission

Quantum Computing will render much of today’s encryption unsafe, says Dr. Andrew Shields, Cambridge Research Laboratory of Toshiba Research Europe, but Quantum Cryptography could be the solution

Cyber security is still a challenge

Financial organisations tend to have the reputation of having some of the most mature overall cybersecurity practices. Then again, when you consider what banks do, having robust cybersecurity is especially important in this sector.  Yet, the industry ranked second to last in the major verticals for latest scan OWASP pass rate, and based on the flaw persistence analysis chart, it is leaving coding flaws and code vulnerabilities to linger longer than other industries.

The financial sector is prolific at testing, with almost as many apps as the technology sector. Despite this, in general, the sector is still slow in to open code vulnerabilities.

Phishing attacks — can AI help people provide a fix?

AI isn’t quite like having a cyber security expert on your shoulder, but it could be the next best thing, Paul Chapman, co-founder of Cybershield, told us.


“Since financial institutions and banks hold highly valuable information and critical assets, they will continue to be a target of cybercriminals and malicious hacking,” said Paul Farrington, director of EMEA and APJ at Veracode.

“Our data shows the financial services sector scanning a huge volume of applications and finding flaws that need fixing. While that is encouraging, the next frontier is achieving greater speed in fixing those flaws because speed matters. The speed at which organisations fix flaws they discover in their code directly mirrors the level of risk incurred by applications. The sector should consider all dimensions of risk to prioritise which flaws to fix first.”

Avatar photo

Michael Baxter

.Michael Baxter is a tech, economic and investment journalist. He has written four books, including iDisrupted and Living in the age of the jerk. He is the editor of and the host of the ESG...

Related Topics

Cyber Security