Contrast Security's State of Application Security in Financial Services Report Finds 75% of Application Security Budgets Are Rising in 2021 Due to Frequent Application Attacks

98% of financial services respondents admit they have experienced at least three successful application exploits in the last 12 months that have caused an operational disruption and/or a data breach leading to the increase in application security budgets

2021 State of Application Security in Financial Services Report

Contrast Security, a leader in modernizing application security, today announced the findings of its 2021 State of Application Security in Financial Services Report based on a comprehensive survey of development, operations, and security professionals and executives at enterprise-level financial services institutions. The report explores the state of application security at these organizations, and the findings indicate that the security of these applications — that have access and control over consumers' finances — is not a priority or major concern for most of them. 

With most attacks on financial services institutions executed at the application layer at a time when customers demand more digital services and customer-facing applications are developed in-house, application security is mission-critical. Methodologies like Agile and DevOps — and a growing use of open-source code and application programming interfaces (APIs) — have accelerated the development process, enabling financial institutions to speed up digital transformation initiatives that had been planned for months or years in the future. However, the financial services industry, including banking, insurance, and investment firms, has long been a target of cyber criminals, and this has only accelerated due to the COVID-19 pandemic. 

When multiple serious vulnerabilities are present in an application, cyber criminals have many opportunities to mount a successful attack. Almost all respondents (98%) admit that they have experienced at least three successful application exploits in the past year that have caused an operational disruption and/or a data breach. Astoundingly, more than half of organizations (52%) saw 10 or more successful attacks over 12 months. As a result, 99% of respondents in organizations with more than 15,000 employees peg the cost of each attack at $1 million or above. 

The high rate of false positives combined with the lack of actionable information in scan reports creates a major time sink for both development and security teams. More than eight in 10 respondents (81%) say that their application security teams spend three or more hours per false positive to identify it as such. So, when a legitimate vulnerability is identified, 72% of respondents said their organization's application security team spends six or more hours to triage, diagnose, and prioritize remediation for the development team. The baton then is passed to developers, who spend 10 or more hours per vulnerability to perform remediation and verification, according to 69% of respondents. With a scan report potentially containing hundreds of alerts, with a majority being false positives, these staff hours add up quickly for both the development and the security teams.

Given application security is an increasing concern for enterprises, 75% of respondents report that their application security budget is increasing in 2021, and 24% say that increase is more than 15%. Despite this emphasis on application security, only 40% of organizations place direct responsibility for application security under the CISO. So, while budgets are increasing at many organizations, some may not have a solid strategy in place to use those funds wisely. A crucial starting point will be to ensure security keeps up with the pace of development. 

"It is clear that application security strategies have not matured at most of the financial services organizations represented in this survey," said Jeff Williams, CTO and co-founder at Contrast Security. "The good news for institutions looking to build out their strategy is that implementing a modern application security platform can dramatically accelerate their program and produce real improvement quickly. Instrumentation-powered application security can provide continuous security testing at massive scale, providing highly accurate feedback to developers in real time, empowering them to find and fix their own vulnerabilities without direct help from application security specialists."

The Contrast Application Security Platform uses instrumentation to observe, analyze, and protect software from within the application. In doing so, Contrast makes security continuous and integrates seamlessly with modern software — from development into production. In addition, this approach offers an unprecedented application security orchestration layer for financial services institutions to improve enterprisewide risk reporting and policy enforcement. Contrast Security has worked with financial services institutions of all types around the world. Customers include leading global Fortune 500 and financial industry regulatory enterprises. 

REPORT: 2021 State of Application Security in Financial Services

BLOG POST: Contrast Study Finds Significant Application Security Risk at Financial Services Enterprises 

PODCAST: Digital Transformation in Financial Services Accelerates, Application Security Struggles to Keep Up 

WEBINAR: New Report Highlights Digital Acceleration in Financial Services Is Creating Application Cyber Risks 


This report is based on a comprehensive survey of business leaders, developers, and security professionals at financial services enterprises in North America. Conducted in April and May 2021, the survey sought to gauge the maturity of both the software development operations and application security programs, how organizations are using application security tools, and what outcomes they are seeing. The results of each question were analyzed for the whole cohort, and many answers were also grouped by background data like job title, company size, and application security methodology. From this analysis, we identified several insights about application development and security specific to the financial services vertical.

About Contrast Security:

Contrast Security is the leader in modernizing application security, embedding code analysis and attack prevention directly into software. Contrast's patented deep security instrumentation completely disrupts traditional application security approaches with integrated, comprehensive security observability that delivers highly accurate assessment and continuous protection of an entire application portfolio. This eliminates the need for disruptive scanning, expensive infrastructure workloads, and specialized security experts. The Contrast Application Security Platform accelerates development cycles, improves efficiencies and cost, and enables rapid scale while protecting applications from known and unknown threats.

Contrast Security
Jacklyn Kellick
[email protected]

Source: Contrast Security


Tags: AppSec, Cloud Native, Cybersecurity, DevOps, Financial Services