Poor coding is leaving banks at risk of cyber attacks

Financial services are most guilty of creating software vulnerabilities, say researchers

developer at work

Banks and financial services companies are leaving themselves at risk of being hacked thanks to poorly-written code, according to new research.

Software analysis firm CAST reviewed 278 million lines of code from more than 1,380 applications developer using Java EE and .NET, and discovered more than 1.3 million vulnerabilities caused by errors and sloppy code hygiene.

Advertisement - Article continues below

Financial services companies, IT consultants and telcos were found to be most guilty of this, with the highest number of common weakness enumerations (CWEs) per thousand lines of code.

"We found that overall, organisations are taking application security quite seriously. However, there are clear outliers to this broad finding that put companies and their customers at significant risk," said CAST's senior vice president and chief scientist Bill Curtis. "Without a clear understanding of existing application security vulnerabilities, organisations are not addressing some of the biggest software risks that pose a threat to their business."

Interestingly, the report found that outsourcing had little measurable impact on code quality, with significant differences in the CWE rate of apps developed in-house compared to those outsourced to other firms.

Similarly, there were little statistical differences between onshore and offshore-developed apps. Application size also did not appear to affect the amount of weaknesses present. The biggest indicator of risk appeared to be age, with applications between five and 10 years old presenting the greatest potential for flaws.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

The report also had harsh words about Microsoft's .NET programming language, warning that .NET applications had more vulnerabilities on average than Java apps, though it didn't provide numbers. Microsoft's .NET apps developed with the waterfall software evelopment method had the worst scores overall.

However, CAST cautioned that continuous deployment can prove risky, too. Java apps with six or more annual releases had the largest number of CWE vulnerabilities, which could prove a problem for companies that have adopted an agile, DevOps-centric development model.

Picture: Bigstock

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now
Advertisement

Recommended

Visit/security/ransomware/356292/university-of-california-gets-fleeced-by-hackers-for-114-million
ransomware

University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
Visit/security/cyber-security/356289/australia-announces-135b-investment-in-cybersecurity
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
Visit/cloud/cloud-security/356288/csa-and-issa-form-cybersecurity-partnership
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020
Visit/business/policy-legislation/356215/senators-propose-a-bill-aimed-at-ending-warrant-proof-encryption
Policy & legislation

Senators propose a bill aimed at ending warrant-proof encryption

24 Jun 2020

Most Popular

Visit/business/business-operations/356395/nvidia-overtakes-intel-as-most-valuable-us-chipmaker
Business operations

Nvidia overtakes Intel as most valuable US chipmaker

9 Jul 2020
Visit/laptops/29190/how-to-find-ram-speed-size-and-type
Laptops

How to find RAM speed, size and type

24 Jun 2020
Visit/server-storage/servers/356083/the-best-server-solution-for-your-smb
Sponsored

The best server solution for your SMB

26 Jun 2020