No industry sector has as long of a history of dealing with security risks as financial services. Security breaches are bad for any organization, but for banks, broker-dealers, payment processors, and other financial institutions, they can be catastrophic. So it should come as no surprise that these organizations have some of the most sophisticated security and risk mitigation environments in world.
What may not be so obvious is how big a role software development plays in the financial services industry. Technology is a strategic differentiator for many financial services organizations. Doing things better and faster than the competition often requires the development of innovative, custom software solutions. To help financial services organizations
cope with the expanding cybersecurity risk landscape, the Financial Services Information Sharing and Analysis Center (FS-ISAC) recently hosted its 2015 Fall Summit – and Black Duck was there to talk to industry experts about the current state of software security at their companies.
The conversations I had at the event made it clear that application security in general, and the security of open source components in particular, are fast becoming top-of-mind concerns for financial services organizations. Most attendees I spoke with said their companies develop custom software. One even claimed that 100 out of his company's 400 employees were software developers – a ratio not too far off that of many technology companies.
Interestingly, though, while financial services organizations may be on the cutting edge of many aspects of cybersecurity, most of the people I spoke with said they have room for improvement in application security, particularly as it relates to their use of open source.
- Most indicated that their development teams use open source in their applications. One person started out saying they don't use open source much, but upon further reflection reversed herself, saying "Actually, we use open source everywhere!"
- All were familiar with the more publicized vulnerabilities like Heartbleed and the panic that surrounded it.
- Many said they either didn't have a repeatable open source management process or that their processes are based on manual reviews and tracking via spreadsheets.
- None thought they had a complete and accurate inventory of the open source in use, much less a current view of their open source vulnerability exposure.
While a number of people I spoke with indicated that their organizations use static application security testing (SAST) tools, there was a general consensus that they have a visibility and control gap when it comes to open source in their applications – one that they didn't feel they
had a good way to solve (until now at least). We're looking forward to helping them close that gap, and talking with more attendees next May at the FS-ISAC 2016 Annual Summit in Miami.