DevSecOps, shorthand for an integrated focus on development, security and operations throughout the IT lifecycle, is picking up steam among U.S. financial institutions, which see this as a way to offer a more holistic approach to security.
As financial applications become more popular with bankers and their customers, there’s a growing drive to up the ante on application security. Indeed, 9 out of 10 breaches begin due to defects in code, according to Brittany Greenfield, founder and CEO of Wabbi, an application security company.
“Code is code,” Greenfield said, “whether it's DeFi [decentralized finance] or a Java application.”
As banks and other financial institutions have been moving from physical delivery to the phone and the internet, so too have cybercriminals, following the customers, aiming their attacks where the money is. The ongoing pandemic has exacerbated this trend. Before the COVID-19 pandemic began, more than half of bank customers (52%) utilized branches.
Over the past two years, with pandemic mandates keeping people home, the use of financial applications has grown by 49%. For the customers arguably most reliant on physical channels — senior citizens — more than three-fourths of them (77%) began using digital channels for financial transactions or to pay a bill.
“The financial services industry is changing from traditional branch-based businesses to technology-driven operations,” said Christopher R. Wilder, research director and senior analyst for TAG Cyber Research. “Financial services organizations must continually innovate to stay ahead of the competition, especially from more agile [financial technology] companies born in the cloud.”
“DevSecOps has evolved as an imperative for effective DevOps teams to remain efficient and competitive for today's financial services enterprises,” Wilder added.
According to Greenfield, attacking financial applications is one of the “fastest growing areas of cybercrime because the criminals know [financial institutions] do not have good application security.”
“Security governance is not about creating a single point of control,” Greenfield said, “which really just creates a single point of failure as we saw here since the audited code was not the same as the production code.”
Especially with decentralized financial [DeFi] teams not just being distributed, as is becoming more commonplace, but not being part of a formal enterprise that has more guardrails, “it is especially critical to implement checks and balances for them to make educated decisions,” she said.
“This is not in contradiction to the decentralized ethos but instead a core tenant of it,” Greenfield said, “empowering their developers to make the best solution and security is part of that.”
Traditionally, there has been a gap between the DevOps goals and the DevSecOps mission, according to Wilder.
“DevOps teams will compromise speed for security, while SecOps teams tend to be overly cautious and deliberate,” he said.
“Forward-thinking financial institutions are evolving and integrating DevOps tools that bridge the gap between the two entities to deliver more flexible, robust, and faster solutions without compromising compliance or security.”