Application Security Takes Center Stage at FS-ISAC Fall Summit

Application Security Takes Center Stage at FS-ISAC Fall Summit

No industry sector has as long of a history of dealing with security risks as financial services. Security breaches are bad for any organization, but for banks, broker-dealers, payment processors, and other financial institutions, they can be catastrophic. So it should come as no surprise that these organizations have some of the most sophisticated security and risk mitigation environments in world.

What may not be so obvious is how big a role software development plays in the financial services industry. Technology is a strategic differentiator for many financial services organizations. Doing things better and faster than the competition often requires the development of innovative, custom software solutions. To help financial services organizations
cope with the expanding cybersecurity risk landscape, the Financial Services Information Sharing and Analysis Center (FS-ISAC) recently hosted its 2015 Fall Summit – and Black Duck was there to talk to industry experts about the current state of software security at their companies.

FS-ISACThe conversations I had at the event made it clear that application security in general, and the security of open source components in particular, are fast becoming top-of-mind concerns for financial services organizations. Most attendees I spoke with said their companies develop custom software. One even claimed that 100 out of his company's 400 employees were software developers – a ratio not too far off that of many technology companies.

Interestingly, though, while financial services organizations may be on the cutting edge of many aspects of cybersecurity, most of the people I spoke with said they have room for improvement in application security, particularly as it relates to their use of open source.

  • Most indicated that their development teams use open source in their applications. One person started out saying they don't use open source much, but upon further reflection reversed herself, saying "Actually, we use open source everywhere!"
  • All were familiar with the more publicized vulnerabilities like Heartbleed and the panic that surrounded it.
  • Many said they either didn't have a repeatable open source management process or that their processes are based on manual reviews and tracking via spreadsheets.
  • None thought they had a complete and accurate inventory of the open source in use, much less a current view of their open source vulnerability exposure.

While a number of people I spoke with indicated that their organizations use static application security testing (SAST) tools, there was a general consensus that they have a visibility and control gap when it comes to open source in their applications – one that they didn't feel they
had a good way to solve (until now at least). We're looking forward to helping them close that gap, and talking with more attendees next May at the FS-ISAC 2016 Annual Summit in Miami.

Key Risks & Challenges in Application Security 2016

Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.


Understand What's Inside Your Containers with Black Duck OpsSight

| Nov 17, 2017

There was a lot of excitement at FLIGHT2017 as Black Duck announced the launch of its newest container security product, Black Duck OpsSight. Containers have revolutionized the way teams package and deliver software applications. But while they make life easier in a lot of ways, they also make it

| MORE >

Did Lack of Visibility into Apache Struts Lead to the Equifax Breach?

| Sep 11, 2017

As most of you are aware, last Friday news broke of a major data breach at Equifax. As one of the major credit reporting agencies, Equifax maintains a vast amount of sensitive personal and financial information for residents of the United States and the United Kingdom, and this breach is reported

| MORE >

Hub 4.1 Makes Managing Open Source Risks Easier

| Aug 21, 2017

We’ve recently updated Black Duck Hub with a number of new capabilities that make it easier for teams to discover open source in their environment, prioritize their vulnerability and compliance management activities, and determine the best upgrade path for open source components that are

| MORE >