Poor coding is leaving banks at risk of cyber attacks
Financial services are most guilty of creating software vulnerabilities, say researchers


Banks and financial services companies are leaving themselves at risk of being hacked thanks to poorly-written code, according to new research.
Software analysis firm CAST reviewed 278 million lines of code from more than 1,380 applications developer using Java EE and .NET, and discovered more than 1.3 million vulnerabilities caused by errors and sloppy code hygiene.
Financial services companies, IT consultants and telcos were found to be most guilty of this, with the highest number of common weakness enumerations (CWEs) per thousand lines of code.
"We found that overall, organisations are taking application security quite seriously. However, there are clear outliers to this broad finding that put companies and their customers at significant risk," said CAST's senior vice president and chief scientist Bill Curtis. "Without a clear understanding of existing application security vulnerabilities, organisations are not addressing some of the biggest software risks that pose a threat to their business."
Interestingly, the report found that outsourcing had little measurable impact on code quality, with significant differences in the CWE rate of apps developed in-house compared to those outsourced to other firms.
Similarly, there were little statistical differences between onshore and offshore-developed apps. Application size also did not appear to affect the amount of weaknesses present. The biggest indicator of risk appeared to be age, with applications between five and 10 years old presenting the greatest potential for flaws.
The report also had harsh words about Microsoft's .NET programming language, warning that .NET applications had more vulnerabilities on average than Java apps, though it didn't provide numbers. Microsoft's .NET apps developed with the waterfall software evelopment method had the worst scores overall.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
However, CAST cautioned that continuous deployment can prove risky, too. Java apps with six or more annual releases had the largest number of CWE vulnerabilities, which could prove a problem for companies that have adopted an agile, DevOps-centric development model.
Picture: Bigstock
Adam Shepherd has been a technology journalist since 2015, covering everything from cloud storage and security, to smartphones and servers. Over the course of his career, he’s seen the spread of 5G, the growing ubiquity of wireless devices, and the start of the connected revolution. He’s also been to more trade shows and technology conferences than he cares to count.
Adam is an avid follower of the latest hardware innovations, and he is never happier than when tinkering with complex network configurations, or exploring a new Linux distro. He was also previously a co-host on the ITPro Podcast, where he was often found ranting about his love of strange gadgets, his disdain for Windows Mobile, and everything in between.
You can find Adam tweeting about enterprise technology (or more often bad jokes) @AdamShepherUK.
-
LaunchDarkly to "double down" on observability with Highlight acquisition
News Highlight's observability tools will be integrated into LaunchDarkly's Guarded Releases software deployment service
By Daniel Todd
-
Samsung Galaxy Tab S10 FE review
Reviews The Tab S10 FE retains the feel and core capabilities of Samsung's high-end S10 tablets, but compromises on the display and the performance
By Stuart Andrews
-
Walking the line: GitOps and Shift Left security
Whitepaper Scalable, developer-centric supply chain security solutions
By ITPro
-
Thwart cyberthreats fast with security operations + AI Ops
Whitepaper How automated collaboration saves the day
By ITPro
-
Three steps to transforming security operations
Whitepaper How to be more agile, effective, collaborative, and scalable
By ITPro
-
“Full speed ahead” mentality in cloud native space causing security headaches
News Red Hat says the rapid development of cloud native technologies means that security issues could go unnoticed
By Ross Kelly
-
IBM LinuxONE for dummies
Whitepaper Secure your data, build an open hybrid cloud environment, and realise the cost benefits of consolidation
By ITPro
-
Bridging the DevSecOps divide: Spotlight on zero trust
Whitepaper Security at the forefront
By ITPro
-
70% of IT workers skip key security steps due to work pressures
News Report finds that a fifth of DevOps and security professionals have considered quitting their jobs due to stress
By Danny Bradbury
-
GitLab patches API flaw that exposed private group data
News GitLab private projects that were formerly public could have been accessed through search APIs
By Sabina Weston