Research finds in-house banking apps easier to hack

By David Beach | 11 April 2019

New research released this week has revealed that banking applications developed in-house are more vulnerable than those produced by third-party vendors.

Some 81% of banks across the world are embarking on technology transformation programmes in order to keep costs low and bring out application functionality at the pace dictated by consumer demand, according to a 2018 Forrester report.

The research conducted by app security vendor Positive Technologies found that on average solutions purchased from vendors contain three times fewer vulnerabilities than software developed by banks on their own.

“It happens not only in financial services but other industries that you develop software to provide services and get a profit, and you want to do it fast. Sometimes security is left to the end or aside,” says Cesar Cerrudo, CTO of IOActive, a firm which works with banks to test their security.

Average number of vulnerabilities by severity

Figure 8. Average number of vulnerabilities per application

Source: Positive Technologies

The research was conducted across multiple countries and collected from 13 projects which were carried out on full-featured systems with a full set of checks, according to the researcher. 62% of applications analysed were in-house, the remaining were off the shelf.

In 54% of the applications studied, it was possible to commit theft of funds or fraud while every bank was vulnerable to unauthorised access to sensitive bank information and clients’ personal data.

According to Cerrudo, even low risk vulnerabilities, when exploited in volume, increase the risk severity, making it important to ensure security best practice is instilled from start to finish of app development.

“More mature software companies tend to improve cyber security in the long term because they’ve been dealing with these issues for a long time. When you start developing from scratch then you’re limited to the security knowledge that you have in-house and sometimes it’s very limited, sometimes it’s very good,” says Cerrudo.

But Jason Maude, head of system analytics at Starling Bank, is skeptical of the report’s findings. Starling developed nearly the entirety of its tech stack in-house.

“We are confident in our own security expertise, but we are not complacent,” said Maude, by email. “That's why we constantly test and check our software and systems so that we can detect and fix security vulnerabilities before criminals find and exploit them,” he said.

For Cerrudo, in-house developers “need education and training on security and then need to incorporate security into the development lifecycle early on and throughout. In order to do that you need knowledge and people to train others.

“Some companies develop the software and then have a third party take care of software security but sometimes when you are already designing the system it’s very difficult to change once the system is finished. If you haven’t incorporated security best practices from the beginning it becomes a lot more costly and difficult to fix the problems and to add more security,” he says.

Become a bobsguide member to access the following

1. Unrestricted access to bobsguide
2. Send a proposal request
3. Insights delivered daily to your inbox
4. Career development