Are Your Applications Safe? Your Financial Software Might be at Risk

According to a study performed by Veracode Inc., significant security gaps exist in financial software services in use across the financial services industry. An 18 month long study analyzed nearly three thousand financial software applications from a variety of industries of which 38% were finance-related. A surprising 56% of these were discovered to have less than acceptable security measures in place. Financial services companies make a prime target, and yet financial software still has serious security gaps. If your business uses financial software, you should be aware of the potential risks.

A Danger in Financial Software: Cross-Site Scripting

The chief danger to you in the security of your financial software is cross-site scripting (XSS). Banking and insurance companies seem to be in the greatest peril. More than 70% of the vulnerabilities discovered in financial software related to banking and insurance were cross-site scripting exposures. This, compared to 33% cross-site scripting (XSS) vulnerability in all other financial services such as banks, brokerages and payment processors included in the study.

Cross-site scripting is a security attack which takes advantage of a weakness in your application program. The attacker inserts code language which has the appearance of coming to you from a reliable source. Most often this comes in the form of SQL injection. SQL stands for Structured Query Language. An attacker will use a web form designed to screen access. Such forms usually request a name and password to be entered into text boxes. Access is granted or denied based upon whether the software recognizes the values which have been given in the text boxes.

The Need for More Security Structure

Unfortunately, many such dynamic forms do not have sufficient security structures in place to block the input of information other than what is expected (eg: names and passwords). This means that an attacker can use your text boxes to inject a request which in essence changes the function of the form. Attackers may request all manner of “secure” information and could conceivably download your entire database. Any of your web applications which generate pages dynamically would be particularly vulnerable to this sort of malicious entry. This weakness or vulnerability is sometimes called an XSS hole. A rise in the use of automated tools has witnessed a concurrent rise in the risk of SQL injection. It is estimated that perhaps 60% of web applications which generate dynamic forms could be considered at risk. Your financial software usually depends greatly upon such dynamic content.

Financial Software at Risk

While Veracode’s application security test discovered that 57% of all applications were at risk of security breach, there was a marked difference between software that had been developed within the company and those using third party applications. Of the third party applications, 81% were found insecure. This has led to increased demand, particularly from the financial software consumers, that third party providers undergo more stringent security auditing. Web applications account for greater than 50% of all third party providers.

If your business utilizes financial software you will want to be aware of the potential risks. Be sure that your financial software systems function with the necessary security mechanisms in place to block cross-site scripting and SQL injections. And whether you employ in-house or third party servers, those servers need to have protocols in place for validating input generated on dynamic forms.