Skip to ContentSkip to Footer
IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more
News

Poor coding is leaving banks at risk of cyber attacks

Financial services are most guilty of creating software vulnerabilities, say researchers

by: Adam Shepherd
13 Nov 2017
Two developers working on a project in front of a computer screen

Banks and financial services companies are leaving themselves at risk of being hacked thanks to poorly-written code, according to new research.

Software analysis firm CAST reviewed 278 million lines of code from more than 1,380 applications developer using Java EE and .NET, and discovered more than 1.3 million vulnerabilities caused by errors and sloppy code hygiene.

Financial services companies, IT consultants and telcos were found to be most guilty of this, with the highest number of common weakness enumerations (CWEs) per thousand lines of code.

"We found that overall, organisations are taking application security quite seriously. However, there are clear outliers to this broad finding that put companies and their customers at significant risk," said CAST's senior vice president and chief scientist Bill Curtis. "Without a clear understanding of existing application security vulnerabilities, organisations are not addressing some of the biggest software risks that pose a threat to their business."

Interestingly, the report found that outsourcing had little measurable impact on code quality, with significant differences in the CWE rate of apps developed in-house compared to those outsourced to other firms.

Similarly, there were little statistical differences between onshore and offshore-developed apps. Application size also did not appear to affect the amount of weaknesses present. The biggest indicator of risk appeared to be age, with applications between five and 10 years old presenting the greatest potential for flaws.

The report also had harsh words about Microsoft's .NET programming language, warning that .NET applications had more vulnerabilities on average than Java apps, though it didn't provide numbers. Microsoft's .NET apps developed with the waterfall software evelopment method had the worst scores overall.

However, CAST cautioned that continuous deployment can prove risky, too. Java apps with six or more annual releases had the largest number of CWE vulnerabilities, which could prove a problem for companies that have adopted an agile, DevOps-centric development model.

Picture: Bigstock

Featured Resources

ZTNA vs on-premises VPN

How ZTNA wins the network security game

Free Download

The global use of collaboration solutions in hybrid working environments

How companies manage security risks

Free Download

How to build a cyber-resilient business ready to innovate and thrive

Outperform your peers in your successful business outcomes

Free Download

Accelerating your IT transformation

How Cloudflare is innovating for CIOs to start 2023

Watch now

Most Popular

Tech pioneers call for six-month pause of "out-of-control" AI development
artificial intelligence (AI)

Tech pioneers call for six-month pause of "out-of-control" AI development

29 Mar 2023
3CX CEO confirms supply chain malware attack
malware

3CX CEO confirms supply chain malware attack

30 Mar 2023
Getting the best value from your remote support software
Advertisement Feature

Getting the best value from your remote support software

13 Mar 2023
Skip to HeaderSkip to Content