One might think financial institutions, such as banks, would have formidable levels of application security. Unfortunately, if one thought that, one would be wrong. According to an analysis by application security vendor ImmuniWeb, a startling 97 out of 100 of the world’s largest banks are vulnerable to web and mobile attacks.

ImmuniWeb conducted a number of non-intrusive security, privacy and compliance tests, including evaluating SSL security, website security, phishing vulnerability, compliance to various facets of PCI DSS, as well as GDPR. The tests also included non-intrusive software composition analysis of open source software verified fingerprinted software versions for publicly disclosed vulnerabilities from the OWASP Top 10.

This application security research focused on the external web applications, APIs and mobile apps of world largest financial organizations from 22 countries according to the S&P.

Main findings from the research included:

Security Vulnerabilities:

7 e-banking web applications contain known and exploitable vulnerabilities

The oldest unpatched vulnerability is known and publicly disclosed since 2011

92% of mobile banking applications contain at least 1 medium-risk security vulnerability

100% of the banks have security vulnerabilities or issues related to forgotten subdomains

Regulatory Compliance:

85 e-banking web applications failed GDPR compliance test

49 e-banking web applications failed PCI DSS compliance test

25 e-banking web applications are not protected by a Web Application Firewall

The rest of the results didn’t sit well, either: only 3 main websites out of 100 had the highest grades “A+” both for SSL encryption and website security, these included the websites for www.credit-suisse.com (Switzerland), www.danskebank.com (Denmark), www.handelsbanken.se (Sweden).

The researchers found each website contained, on average 2 different web software components, JS libraries, frameworks or other third-party code, and as many as 29 websites contain at least one publicly disclosed and unpatched security vulnerability of a medium or high-risk.

The oldest unpatched vulnerability detected during the research is CVE-2011-4969 impacting jQuery 1.6.1 and known since 2011.

The most popular website vulnerabilities were XSS (Cross Site Scripting, OWASP A7), Sensitive Data Exposure (OWASP A3) and Security Misconfiguration (OWASP A6).

With regard to the subdomains, the situation is even more disastrous with outdated components:

81% of the subdomains that contain finger-printable external software have outdated components

2% contain publicly disclosed and exploitable vulnerability of medium or high risk

Furthermore, a nonprofit Open Bug Bounty project contains 147 XSS vulnerability reports affecting websites of the banks from this research. Of that project, 28 publicly disclosed vulnerabilities remain unpatched, with 5 vulnerabilities reported and unpatched for over 2 years.

It wasn’t just web apps that proved problematic. The researchers evaluated 55 mobile banking applications. According to their findings, these mobile apps communicated with 298 backend APIs to send or receive data from the bank.

Each of the mobile banking apps were tested for Mobile OWASP Top 10 security and privacy issues.

The researchers found:

100% of mobile banking applications contain at least 1 low-risk security vulnerability

92% of mobile banking applications contain at least 1 medium-risk security vulnerability

20% of mobile banking applications contain at least 1 high-risk security vulnerability

Three most common OWASP Mobile Top 10 security issues are:

M1: Improper Platform Usage

M2: Insecure Data Storage

M7: Client Code Quality

The researchers tested SSL encryption verify the encryption of transmitted data. Fortunately, SSL proved to be a relative bright spot in the testing:

242 received an “A” grade

44 got the highest “A+” grade

However, as much as 18 scored a failing “F” grade, meaning that communications can be easily intercepted due to known and exploitable cryptographic or SSL/TLS implementation vulnerabilities.

Of course, building secure software has proven challenging, if not essentially out of reach, for many organizations. The National Institute of Standards and Technology wants to change that and is developing what it calls a secure software development framework (SSDF) that can be incorporated into the development lifecycle at any organization. The draft paper, Mitigating the Risk of Software Vulnerabilities by Adopting a Secure Software Development Framework is available here as a .pdf.

NIST hopes the secure software development framework proves to be an essential set of high-level secure software development practices.

Ultimately, the authors seek to give rise to communication about secure software development practices among business owners, software developers, and cyber security professionals. NIST believes that following the practices within the framework could help software developers to reduce the number of vulnerabilities in their software, mitigate the potential impact of vulnerabilities, and even address the root causes of vulnerabilities to prevent future recurrences.

If ImmuniWeb’s research is any indication, the world could certainly use the NIST framework.