With most attacks on financial services institutions executed at the application layer at a time when customers demand more digital services, and customer-facing applications are developed in-house, application security is mission critical.
When multiple serious vulnerabilities are present in an application, cyber criminals have many opportunities to mount a successful attack. According to Contrast Security‘s 2021 State of Application Security in Financial Services Report, almost all respondents (98%) admit that they have experienced at least three successful application exploits in the past year that have caused an operational disruption and/or a data breach.
Astoundingly, more than half of organizations (52%) saw 10 or more successful attacks over 12 months. As a result, 99% of respondents in organizations with more than 15,000 employees peg the cost of each attack at $1 million or above.
The high rate of false positives combined with the lack of actionable information in scan reports creates a major time sink for both development and security teams. More than eight in 10 respondents (81%) say that their application security teams spend three or more hours per false positive to identify it as such.
So when a legitimate vulnerability is identified, 72% of respondents said their organization’s application security team spends six or more hours to triage, diagnose, and prioritize remediation for the development team.
The baton then is passed to developers, who spend 10 or more hours per vulnerability to perform remediation and verification, according to 69% of respondents. With a scan report potentially containing hundreds of alerts, with a majority being false positives, these staff hours add up quickly for both the development and the security teams.
Given application security is an increasing concern for enterprises, 75% of respondents report that their application security budget is increasing in 2021, and 24% say that increase is more than 15%. Despite this emphasis on application security, only 40% of organizations place direct responsibility for application security under the CISO.
So while budgets are increasing at many organizations, some may not have a solid strategy in place to use those funds wisely. A crucial starting point will be to ensure security keeps up with the pace of development.