FIs warned of ‘bad code’ security risk

Making the move to becoming a data-driven bank

Businesses face an unprecedented array of threats in the financial services industry today.

As well as dangers that have been around for many years, such as physical attacks on ATMs and deposit fraud, banks today must protect against attacks that target their software and digital infrastructure.

This is an area where many financial institutions are leaving themselves vulnerable, research has suggested.

In its latest CRASH Report, software vendor CAST revealed that financial services is lagging behind other industries when it comes to the quality of software code.

The study was based on analysis of approximately 1.3 billion lines of code and 1,850 applications from 300 organizations in ten different sectors. Software was judged using five key ‘health factors’: robustness, security, performance efficiency, changeability and transferability.

Financial services was the worst-performing industry overall, behind other major sectors like retail, telecoms and government, which topped the list.

Analyzing the findings, Dr Bill Curtis, senior vice-president and chief scientist at CAST Research Labs, said insufficient security architecture combined with “porous code in legacy systems” can create an inviting target for cybercriminals.

“This is especially concerning in financial services applications,” he continued. “Despite the push to ‘go digital’ our CRASH Report findings indicate there is a significant amount of bad code lingering in enterprise systems. The takeaway for IT is clear: poor software quality is exposing many businesses to excessive risk.”

While there are clearly concerns that many FIs should be addressing, the study also stressed that there are various actions businesses can take to strengthen their software.

CAST recommended keeping software development teams to a maximum of 20 people. Teams of fewer than ten developers are preferable.

The report also underlined the importance of conducting regular software analysis, to ensure that any structural flaws or security risks are identified as early as possible.


Image: iStock/monsitj

Written by Jack Dougal

Jack Dougal

Jack Dougal is's resident news reporter. He writes regular blogs covering the latest stories and key developments in the global financial services industry.

Read more articles from Jack Dougal