Open banking is proving to be more than just a flash-in-the-pan for financial institutions hoping to be more tech-savvy and widen their appeal to digital customers. But this approach to financial services, which embraces the use of applications, needs to be secured as well as more traditional services.
At its heart, open banking — the use of open application protocol interfaces (APIs) in financial services — presents a huge opportunity for banks, credit unions and all other financial firms interested in emulating the more accessible services of other technology offerings. It provides myriad opportunities for financial firms and their customers to work with third parties, sharing financial information more easily.
However, open applications can also provide a new attack vector for cyber criminals. Hence, financial institutions are trying to plan their approach to open banking with IT security in mind.
Even though financial institutions tend to outperform other industries in terms of protecting their applications, “their numbers don’t tell a great story,” according to Zach Jones, senior director of detection research for NTT Application Security. Running red teams for NTT, Jones and his teammates are trying to discover application vulnerabilities before the bad guys.
“The name of the game in the financial industry is risk management,” he said.
As it moves increasingly into open banking, financial firms have been “allocating more resources for application security,” Jones said, adding that this is “not something every industry does.” However, even more advanced security programs at large financial institutions tend to “have the breadth, but not the depth” of security coverage they need here.
“The tight alignment of appsec is not worked into the [financial firms’] processes,” he said. “There has to be a sober analysis of where dollars are spent here.”
Citing Gartner research, Jones said there is often a basic “misalignment” between the focus financial firms are taking and where security resources are allocated, especially in comparison to network and endpoint security.
While financial firms and other companies have typically been able to determine the return on investment for these better-established forms of IT security, many financial enterprises may still struggle with application security.
“The world has to figure out how to value it,” Jones said.
According to recent research from NTT Application Security last year, half (50%) of all the sites the company tested had at least one serious vulnerability, with 27% being vulnerable for fewer than 30 days. More concerning is the rate of remediating critical vulnerabilities in applications, which dropped from 54% to 47% during the past year.
“Marred by the Colonial Pipeline attack and the ongoing Log4j fallout, the events of 2021 brought application security to the forefront of the wider media and public conversation,” Craig Hinkley, chief executive officer at NTT Application Security, said in a prepared release. “Despite the elevated push to remediate critical vulnerabilities in both public and private sector applications, there’s evidence that suggests this inadvertently led to an overall negative result, as these initiatives seem to have occurred as a tradeoff with — rather than an addition to — existing remediation efforts.”
