Today, more than 300, 000 websites are attacked daily and more than half of the attackers look for illicit financial gains. Quite clearly, Banking, Financial Services, and Insurance (collectively known as the BFSI) become obvious targets for exploitations around the world.

Although we have already talked about the risks involved with online payments security in one of the previous blog posts, an increase in Layer 7 attacks through the last year has made our researchers look into the common app sec challenges and future of the BFSI sector.

Secure Banking Website Challenges

a)     Regulatory Compliance

When it comes to dealing with card payments, every website in every sector is governed by a strict standard comprising of laws and regulations known as the Payment Card Industry Data Security Standard. It is the most trusted information security standard across the world and requires annual validation evaluated on the security structure of the website across different layers.

Similarly, the Reserve Bank of India is also closely involved in information security, electronic banking, technology risks management and cyber frauds. In fact, RBI guidelines emphasize on the importance of risk assessment and audits. Their application control and security outlook further clarifies how apps should be designed, developed, audited and monitored. IRDA and SEBI have similar strong concerns on how they would like to see the Insurance and Broking websites handling security too.

Now, along with maintaining high level of user experience and offering a wide array of services, BFSI domain organizations find it difficult to mandate a compliance structure and adhere to these guidelines with frequent changes.

b)     Security Prioritization 

The domain of online business, including BFSI sector, is flooded with competition, which often leads to frequent application changes for better services, scalability, and conversions. And to be honest, security isn’t exactly on the top of the minds for management and developers of these websites. They are rather keen to offer more creative application options that meet business activity requirements better.

Additionally, developers are also under pressure to meet regular application project deadlines rather than researching and understanding application vulnerabilities beyond compliance. Under such circumstances, app security lags behind increasing the chance of exploitation and manipulating within the code framework.

c)     Security Staff Management

Hiring, managing, and retaining cyber security people, especially application security personnel, are not even remotely easy tasks. They require a different mindset, allocation of resources, and several other efforts that might prove to be a distraction in the regular business activities.

It is also inappropriate to handover entire website security portfolio to third-party service providers.

Who is to make sure that they will not misemploy the provided information? Who is to blame if all of a sudden their security mechanisms go down?

d)     User Experience Optimization

Imagine a payment platform that doesn’t ask for card or CVV number every time someone makes a transaction. It stores data and even online transaction passwords, making the process 10 times faster. Users will definitely love it, but it will also be a security nightmare. That how security and UX can be inversely proportional. Although in real life scenarios contrast is not that high, application coders do have to balance the act.

Where management and conversion experts push applications towards simplicity and ease of use, coders struggle with maintaining the highest levels of security protocols with the user experience and conversion changes. Having said that, conversions and simplicity aren’t evil, it’s just a matter of having a technology that can back it up with smart user behavior baseline policies.

e)     Low App Security Budgets

Chief Information Security Officers (CISOs) in the BFSI domain have limited resources to work with. They have to utilize the allocated budget to secure multiple layers in the Open Systems Interconnection mode and often it’s not enough to test application vulnerabilities and to develop patches for them. In fact, according to a study from the Ponemon Institute, only 18% security budget is allocated to appsec while Gartner says that 75% of the attacks happen at application layer.

Given that the Layer 7 is vulnerable to code injection, session hijacking, authentication cracking, and other OWASP attacks, there is little that the security professionals can do about it with low budgets. Over the time, this domain has repetitively called for options that can highlight and shield vulnerabilities in real-time before CISO can approve a budget for the application patch.

BFSI Future

Banking, Financial services and Insurance, as an industry, has huge potential for growth in the coming years. In fact, in 2013 alone, there were 800 million electric transactions in India reaching to a mammoth figure of 85,800 Crores according to the Money Control Portal. In a way, if you look at it, people are only going to transact online if they think that their identity and money is safe through the banking and financial institution channels.  Therefore, it is more of a responsibility to ensure security when in future applications are set to become even more complex and attacked more often in state-funded cyber warfare.

  • BFSI will be the prime target for financial gains.
  • Web application will get more complex with frequent updates.
  • Public sector institutions will be attacked by state-funded cyber black ops.

We believe that in the coming years, there will be a much greater need for security solutions that can patch security loopholes while providing a higher level of control and scalability.

Indusface Stance

As the trusted application security partner for 9 out of top 10 banks in India along with several other big names in the BFSI sector, we have tested some 10,000 odd application and have performed over 2.9 million application vulnerability scans. During this time, we have realized that the most important element for the financial institutions is to have a complete security package on the table rather than the option of sourcing fragments from multiple vendors.

That’s where our philosophy to detect, protect, and monitor allows organizations to deploy testing, mitigating, and controlling options conveniently. This way, companies do not have to train and manage dedicated application security staff and still maintain extremely high uptime rate at pay-as-you-go model.

Application Security Challenges

Furthermore, the Indusface covers application vulnerability scanning, malware monitoring, mobile application security, web application firewall, and source code review backed by Service Level Agreement.

We take pride in helping organizations meet stringent regulatory compliance guidelines, seamlessly prioritize security, and cut application security costs with one-of-a-kind SECaaS model.

Founder & Chief Marketing Officer, Indusface

Venky has played multiple roles within Indusface for the past 6 years. Prior to this, as the CTO @indusface, Venky built the product/service offering and technology team from scratch, and grew it from ideation to getting initial customers with a proven/validated business model poised for scale. Before joining Indusface, Venky had 10+ years of experience in security industry and had held various mgmt/leadership roles in Product Development, Professional Services and Sales @Entrust.