Research: State of Application Security at World's 100 Largest Banks

BIRMINGHAM, GB - Jul 11, 2019 - Industry analysts and security practitioners unanimously concur that application security is a big deal. The application security market is predicted to exceed $7 billion USD by 2023 according to recent research by Forrester. While Gartner says that banking sector leads in global cybersecurity spending. 

ImmuniWeb’s new research guides you through application security, privacy and compliance of the world largest financial institutions from S&P Global list for 2019. 

Key Findings 

Compliance: 

• 85 e-banking web application failed GDPR compliance test 
• 49 e-banking web applications failed PCI DSS compliance test 
• 25 e-banking web applications are not protected by a Web Application Firewall 

Security Vulnerabilities: 

• 7 e-banking web applications contain known and exploitable vulnerabilities 
• The oldest unpatched vulnerability is known and publicly disclosed since 2011 
• 92% of mobile banking applications contain at least 1 medium-risk security vulnerability 
• 100% of the banks have security vulnerabilities or issues related to forgotten subdomains

Website Security 

Only 3 main websites out of 100 had the highest grades “A+” both for SSL encryption and website security: 

• www.credit-suisse.com(Switzerland) A+ 
• www.danskebank.com (Denmark) A+ 
• www.handelsbanken.se (Sweden) A+

Various non-intrusive security, privacy and compliance tests were conducted by ImmuniWeb’s Community offering freely available online to the cybersecurity community: SSL Security Test [scoring methodology and list of checks] Website Security Test [scoring methodology and list of checks] Mobile App Security Test [scoring methodology and list of checks] Phishing Test [list of checks] PCI DSS compliance testing covered Requirements 2.3, 4.1, 6.2, 6.5 and 6.6 of the most recent version (v.3.2.1) of the standard.

Ilia Kolochenko, CEO and Founder of ImmuniWeb, says: “Given the non-intrusive nature of the research and formidable resources available to the top banks studied in the research, the findings urge financial institutions to revise their existing approaches to application security. Most of the data breaches involve or start with insecure web and mobile apps that too frequently underprioritized by future victims. Unfortunately, most cybersecurity teams today carry a burdensome duty to meet compliance and regulatory requirements as the first priority and simply lack available resources to tackle other essential tasks. Eventually, they become low hanging fruits for cybercriminals.”

ImmuniWeb suggests four recommendations to avoid most of the problems described above: 

1. Consider implementing Gartner’s CARTAstrategy to enhance your cybersecurity strategy. 
2. Maintain a holistic and up2date inventory of assets located in your external attack surface, identify all software and its components used there, run actionable security scoring on it to enable threat-aware and risk-based remediation. 
3. Implement continuous security monitoring of your external attack surface, test your new code before and after deployment to production, start implementing DevSecOps approach to your application security. 
4. Consider leveraging Machine Learning and AI capacities to handle time-consuming and routine processes, freeing up your security personnel for more important tasks, suggested reading: “4 Practical Questions to Ask Before Investing in AI”.