Security vulnerabilities across the finance sector have increased more than fivefold (418 per cent) in the last four years, according to a study by NCC Group.

The most common high and medium-risk vulnerabilities were found in customer-facing web apps.

NCC categorised vulnerabilities found in 168 financial services organisations using a number of different scanning methods. The results revealed that the number detected within the sector has increased sharply over the last four years, rising from an average per organisation of 217 vulnerabilities in 2013 to 910 in 2016.

Independent pen-testing experts expressed caution towards the figures, which might be influenced by the growth of banking sector apps in general and other factors. The stats look at vulnerabilities on systems "out of scope" for pen-testers but not hackers, so experience from testing engagements neither validates nor debunks NCC's figures. Patching in finance houses is a problem but enterprises sometimes find themselves running legacy platforms because of a need to continue supporting legacy apps.

"It's painful when you see finance staff systems forced to run old Java versions because the org won't update the App or the vendor sucks," noted penetration tester and incident response expert Steve Armstrong.

Running the numbers

The anonymised stats come from customers of NCC's managed vulnerability scanning services data. One factor that may tilt the figures is the increasing number and complexity of apps within the financial sector. If more apps are created using a greater number of toolsets then the number of vulnerabilities will increase.

That's even before considering that NCC's test process will have improved over time so that a greater percentage of flaws will be identified. Or that as finance firms spend more on infosec part of this increased budget goes towards more rigorous app testing.

NCC acknowledged that although app growth and more vulnerabilities being known about (less unknown unknowns) are all factors, its study provides evidence that poor patching practices are still causing problems even within the finance sector.

David Morgan, executive principal at NCC Group, said: "Although the type of scan used can impact the detection of vulnerabilities in certain categories, the sheer size of the increase in web application framework issues means that the rise can't be entirely attributed to this.

"The sector is increasingly taking a digital-first approach to better engage with customers, and a consequence of this is organisations will be exposed to an increased number of security vulnerabilities."

Of the issues marked as high and medium risk, 24.7 per cent were web application framework vulnerabilities involving software designed to support the development of web applications including web APIs, services and resources.

Almost all of these vulnerabilities could be resolved by updating the affected platforms or tools. Many of these vulnerabilities were mitigated by updating PHP to the latest version of the scripting language. Other fixes might be applied by updating ASP.net and Apache Tomcat, two other widely deployed enterprise-focused web applications.

Morgan added: "Since they are a frequent target for cybercriminals, financial services companies should be continuously monitoring for vulnerabilities and regularly updating their software, particularly when these tools form the building blocks of what are often business-critical web applications." ®