State of Application Security at S&P Global World’s 100 Largest Banks
July 2019 by ImmuniWeb
Industry analysts and security practitioners unanimously concur that application security is a big deal. The application security market is predicted to exceed $7 billion USD by 2023 according to recent research by Forrester. While Gartner says that banking sector leads in global cybersecurity spending.
ImmuniWeb’s new research guides you through application security, privacy and compliance of the world largest financial institutions from S&P Global list for 2019.
• 85 e-banking web application failed GDPR compliance test
• 49 e-banking web applications failed PCI DSS compliance test
• 25 e-banking web applications are not protected by a Web Application
• 7 e-banking web applications contain known and exploitable vulnerabilities
• The oldest unpatched vulnerability is known and publicly disclosed since 2011
• 92% of mobile banking applications contain at least 1 medium-risk security vulnerability
• 100% of the banks have security vulnerabilities or issues related to forgotten subdomains
Only 3 main websites out of 100 had the highest grades “A+” both for SSL encryption and website security:
• www.credit-suisse.com(Switzerland) A+
• www.danskebank.com (Denmark) A+
• www.handelsbanken.se (Sweden) A+
Various non-intrusive security, privacy and compliance tests were conducted by ImmuniWeb’s Community offering freely available online to the cybersecurity community: SSL Security Test [scoring methodology and list of checks] Website Security Test [scoring methodology and list of checks] Mobile App Security Test [scoring methodology and list of checks] Phishing Test [list of checks] PCI DSS compliance testing covered Requirements 2.3, 4.1, 6.2, 6.5 and 6.6 of the most recent version (v.3.2.1) of the standard.
ImmuniWeb suggests four recommendations to avoid most of the problems described above:
1. Consider implementing Gartner’s CARTAstrategy to enhance your cybersecurity strategy.
2. Maintain a holistic and up2date inventory of assets located in your external attack surface, identify all software and its components used there, run actionable security scoring on it to enable threat-aware and risk-based remediation.
3. Implement continuous security monitoring of your external attack surface, test your new code before and after deployment to production, start implementing DevSecOps approach to your application security.
4. Consider leveraging Machine Learning and AI capacities to handle time-consuming and routine processes, freeing up your security personnel for more important tasks, suggested reading: “4 Practical Questions to Ask Before Investing in AI”.