Banks, insurance companies and financial services firms such as payment processors are ahead of other industries when it comes to application security, but when business criticality is factored into the equation, they falter along with the rest, according to a new study released Wednesday by Burlington, Mass.-based Veracode Inc.
The study looked at 2,922 applications from multiple vertical industries analyzed by Veracode's cloud-based application security service over the last 18 months. Financial applications made up about 38% of the software studied. The application security test found that finance-related applications ranked just behind government, which scored the best.
However, when business criticality was taken into account, 56% of all finance-related applications -- from banks, insurance firms, payment processors, brokerages and others -- were found to have unacceptable security when first submitted to the company's testing service.
"Despite the fact that financial services firms have been on the leading edge of the threat for some time, the applications still haven't met the passing grade," said Veracode CEO Matt Moynahan.
Payment processors and brokerages, though, fared better than banks and insurance companies when it came to eradicating the top flaw Moynahan said Veracode finds in applications -- cross-site scripting. For banking and insurance firms, cross-site scripting accounted for more than 70% of all vulnerabilities compared to 33% for the other financial services firms.
The problems plaguing financial applications are the same types found in other industries' software, such as SQL injection, Moynahan said. However, in financial services, there is increased concern about backdoors inserted into applications by disgruntled employees fired during the recession, he said.
Overall, the Veracode application security test found that 57% of applications were found to have deficient security. Third-party applications proved to be less secure than software developed internally, with 81% of them failing. Cloud and Web applications made up almost 60% of all third-party assessments.
"More and more, CIOs are forcing third-party suppliers, whether open source teams or COTS suppliers, through a code-level audit to make sure they've met minimum levels of security quality," Moynahan said. "For the first time, we saw a massive uptick in third-party audits on cloud application service providers."
Financial firms were the top vertical requesting assessment of third-party applications, he said.
Across all industries, companies are recognizing the need for software security, Moynahan said. "CIOs are starting to connect the dots between the threat and the attack vector."