Application Security Takes Center Stage at FS-ISAC Fall Summit

Application Security Takes Center Stage at FS-ISAC Fall Summit

No industry sector has as long of a history of dealing with security risks as financial services. Security breaches are bad for any organization, but for banks, broker-dealers, payment processors, and other financial institutions, they can be catastrophic. So it should come as no surprise that these organizations have some of the most sophisticated security and risk mitigation environments in world.

What may not be so obvious is how big a role software development plays in the financial services industry. Technology is a strategic differentiator for many financial services organizations. Doing things better and faster than the competition often requires the development of innovative, custom software solutions. To help financial services organizations
cope with the expanding cybersecurity risk landscape, the Financial Services Information Sharing and Analysis Center (FS-ISAC) recently hosted its 2015 Fall Summit – and Black Duck was there to talk to industry experts about the current state of software security at their companies.

FS-ISACThe conversations I had at the event made it clear that application security in general, and the security of open source components in particular, are fast becoming top-of-mind concerns for financial services organizations. Most attendees I spoke with said their companies develop custom software. One even claimed that 100 out of his company's 400 employees were software developers – a ratio not too far off that of many technology companies.

Interestingly, though, while financial services organizations may be on the cutting edge of many aspects of cybersecurity, most of the people I spoke with said they have room for improvement in application security, particularly as it relates to their use of open source.

  • Most indicated that their development teams use open source in their applications. One person started out saying they don't use open source much, but upon further reflection reversed herself, saying "Actually, we use open source everywhere!"
  • All were familiar with the more publicized vulnerabilities like Heartbleed and the panic that surrounded it.
  • Many said they either didn't have a repeatable open source management process or that their processes are based on manual reviews and tracking via spreadsheets.
  • None thought they had a complete and accurate inventory of the open source in use, much less a current view of their open source vulnerability exposure.

While a number of people I spoke with indicated that their organizations use static application security testing (SAST) tools, there was a general consensus that they have a visibility and control gap when it comes to open source in their applications – one that they didn't feel they
had a good way to solve (until now at least). We're looking forward to helping them close that gap, and talking with more attendees next May at the FS-ISAC 2016 Annual Summit in Miami.

Key Risks & Challenges in Application Security 2016

Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.


Introducing Black Duck CoPilot

| Jun 13, 2017

Today we’re happy to announce the release of Black Duck CoPilot (, a new cloud service that helps open source project teams catalog and report on their project’s dependencies and vulnerabilities. What is CoPilot and What Does It Do? Black Duck CoPilot is a

| MORE >

Is Software Composition Analysis Compatible with Agile DevOps?

| Mar 13, 2017

You can integrate SCA with your DevOps environment if you choose your tools wisely. Last month Forrester Research published their first-ever Wave for Software Composition Analysis (SCA). Wave’s provide enterprise IT and development teams with Forrester’s assessment of the state of the vendor

| MORE >

Black Duck Hub 3.5: Improved BOM Management & More

| Feb 7, 2017

New Hub Features Make BOM Management and Code Locations Easier This past week we released version 3.5 of Black Duck Hub. This release focuses on some subtle but useful user experience enhancements that make it easier for teams to manage larger bills of material (BOMs) and scanned code locations.

| MORE >