itb-au logo
Story image

Global banks fail to keep up with application security

15 Jul 2019

Many of the world’s largest banks are the cybersecurity equivalent of swiss cheese, with many that would fail GDPR compliance tests – an oversight that puts banks and their customers at risk.

A recent ImmuniWeb study on 100 banks across the world – including 36 in Asia and five in Australia – found that the organisations show an alarming lack of security across their banking applications.

In one case, the study found that one bank had an unpatched vulnerability that has existed since at least 2011 – suggesting that banks need to do more to ensure their systems are safe.
The study analysed three different aspects of bank security: compliance, security vulnerabilities, and website security.

Compliance: 

•    85 e-banking web application failed a GDPR compliance test
•    49 e-banking web applications failed a PCI DSS compliance test 
•    25 e-banking web applications are not protected by a web application firewall. 

Security vulnerabilities: 

•    Seven e-banking web applications contain known and exploitable vulnerabilities 
•    The oldest unpatched vulnerability is known and publicly disclosed since 2011 
•    92% of mobile banking applications contain at least one medium-risk security vulnerability 
•    100% of all banks have security vulnerabilities or issues related to forgotten subdomains

Website security 

Only three main websites out of 100 had the highest grades ''A+'' both for SSL encryption and website security:  Credit Suisse (Switzerland), Danske Banke (Denmark), and Handelsbanken (Sweden).

Given the non-intrusive nature of the research and formidable resources available to the top banks studied in the research, the findings urge financial institutions to revise their existing approaches to application security,” comments ImmuniWeb CEO and founder Ilia Kolochenko. 

“Most of the data breaches involve or start with insecure web and mobile apps that too frequently underprioritised by future victims. Unfortunately, most cybersecurity teams today carry a burdensome duty to meet compliance and regulatory requirements as the first priority and simply lack available resources to tackle other essential tasks. Eventually, they become low hanging fruits for cybercriminals.''

ImmuniWeb says that banks should:

1. Consider implementing Gartner’s CARTA strategy to enhance cybersecurity strategy.

2. Maintain a holistic and up-to-date inventory of assets located in the external attack surface, identify all software and its components used, run actionable security scoring on it to enable threat-aware and risk-based remediation.

3. Implement continuous security monitoring of external attack surfaces, test new code before and after deployment to production, start implementing DevSecOps approach to application security.

4. Consider leveraging machine learning and AI capacities to handle time-consuming and routine processes, freeing up security personnel for more important tasks.

Link image
You’re invited: The secrets to workplace happiness in the post-pandemic world
It has been a rough year for workplace wellbeing, with disruption and health concerns worrying every employee. Join Poly’s A/NZ Kickstart 2021 on 10 December from 11am AEDT, where special guest Dr Justin Coulson will share secrets to workplace happiness in the post-pandemic world. Register now.More
Link image
On 10 December, find out how data centers will fare in the face of climate change
From pandemic disruption to the urgency to address climate change, data center development in Asia Pacific needs to remain resilient and sustainable. On 10 December, join this webinar to learn about viable solutions data center operators can use to overcome environmental challenges. Register now.More
Story image
Advanced Threat Protection from Fortinet: Prevent, detect and mitigate
Cornelius Mare, Fortinet A/NZ Director, Security Solutions, explains why zero-day threats represent an unacceptable risk to your enterprise and how to protect your network by adopting Advanced Threat Protection security services.More
Story image
Most Australian businesses’ comms not post-pandemic ready
New Zoom research finds that 55% of Australian businesses lack effective tools to communicate effectively in a hybrid workplace world.More
Story image
Palo Alto Networks launches enterprise data loss prevention service
"As a single centralised cloud service, Palo Alto Networks Enterprise DLP can be deployed across an entire large enterprise in minutes with no need for additional infrastructure."More
Story image
ECI Software Solutions acquired by Leonard Green & Partners
"We are excited to welcome LGP as our new partner, and I am confident that this is the right choice for our future – and the future of our 1,700 employees and more than 22,000 customers.”More