Banking isn’t what it used to be—which means banking security can’t be what it used to be either. Keeping customers’ assets safe is no longer a matter of locking the massive door of a vault and keeping watch with some security cameras. The threats to security come from computer keystrokes, not masked men with guns.
Indeed, both the players and the landscape have changed. Hardly any bank is just a bank anymore. And entities that aren’t banks are invading turf that we all used to think was owned by banks.
They’re all now part of the financial services industry (FSI)—not just checking and savings accounts along with business and mortgage loans, but also credit and debit cards, insurance, investment management, brokerage services, and more: just about anything involving money. Beyond that, all these services, along with currencies, are going digital. Who but the older generation carries cash anymore? Who but AARP qualifiers show up at teller windows?
You’ve probably seen the ads touting “banking reimagined.” It’s a bit more like banking upended or disrupted. Bank branches are closing because an entire generation of people see no need to use them. The financial life of millions of customers is now in their pockets—on their smartphones.
The challenge of meeting the demands of digital transformation while keeping both organizations and their millions of customers secure was the focus of a recent virtual roundtable hosted by FStech and Synopsys titled “The Race to Digital: How FSIs Are Leveraging DevSecOps to Meet Rising Digital Demand.” As the title suggests, the goal is to use DevSecOps to drive digital transformation while keeping systems, customers, and the companies’ bottom lines secure.
And that can be complicated.
FSIs—especially recent entries into the field—are shifting to cloud-based architectures, which means the “vault” protecting assets requires rigorous software security and secure cloud configurations.
Frank Morris, managing director with the Synopsys Software Integrity Group, notes that most younger people “don’t even know what a checkbook is. They don’t have phone communications because everything is done through digital chat.”
All of which brings both benefits and liabilities. The opportunities for growth and profit are huge, as a consumer’s or corporation’s entire financial life can be connected to one organization. But, especially for so-called “legacy” banks that have been around for generations, the digital transformation is a heavy lift because their decades-old infrastructure was made for a model that is increasingly obsolete, yet a portion of their (older) customer base still wants that model.
That makes the playing field a bit uneven. The newer, or “challenger” banks, which are tech companies that typically use mobile distribution channels to offer competitive retail banking services, “can move at a very fast pace because they have no legacy infrastructure like mainframes sitting around disparately across 20 different regions of the country,” Morris said, adding that generally they also have a younger and more agile workforce.
On the other side, he said, legacy banks do have the advantage of size, which includes lots of money, but they are trying to run “a massive legacy estate of infrastructure while trying to accelerate their processes, practices, and procedures to keep up with the challenger banks.”
Ian Ashworth, security consultant at Synopsys, said some challenger banks “aren’t even true banks,” and don’t have to reimagine anything because “they’re starting from what amounts to a clean sheet of paper,” while legacy banks must overhaul their infrastructure to stay in the game.
One illustration of the generation gap is credit cards. Ashworth noted that in the legacy bank world, a customer who misplaces a credit card would have to cancel it and then wait several days to get a new one. “But in the new challenger-bank world, you’re on your mobile app and can say ‘I’ve misplaced my card, lock it from all types of transactions.’ So then when you locate it, you just re-enable it.”
As Morris noted, there are now virtual cards—no plastic at all. “So each time you use a card on a digital transaction you get a new card number. It can’t be cloned or reused,” he said.
Then there is regulation. The big legacy players, Ashworth said, “are constantly having to keep pace with what regulators are asking them to do, and this is holding them back because these new, nimble challenger banks, sometimes termed banking-in-a-box, are providing things from a very fresh starting point so they don’t have all these regulatory demands.”
That is changing, he said. “The young whippersnappers are getting called out now because they are maturing their products and making these applications to be not just a sexy card that you can use with your mobile phone, but a full-fledged bank with all of the financial protection measures that are associated with that, they’re now having to build all of that into their back ends, at scale. So they are creating a problem for themselves, but they knew this was coming.”
But, while there is value to compliance—Morris notes that the UK’s Financial Conduct Authority has about 20 pages devoted to security in the parameters and standards for FSIs—the reality remains that “compliance is not security.”
And security is an existential requirement for FSIs, whether they are legacy or challenger. Security involves “a combination of tools, data, information, processes, and people,” said Ashworth. “It’s the architects, it’s the designers and the developers; it’s the risk governance, the legal teams, and the security teams, of course.”
“You can’t afford to have a breach,” he added, “because you won’t have a customer base if you don’t show that you’ve got authority on the subject. If you get it wrong, it’s game over. It’s not something you can take lightly.”
Ashworth said for FSIs, one of the most important software testing tools is static application security testing (SAST), an automated testing tool that finds defects in code while it is being written.
He said SAST is often mandatory “although the deeper implementation details of what it must try and find and whether these findings are consequently deemed ‘passable’ are often left to individual organizations,” he said, adding that the Synopsys SAST tool Coverity is among the popular options.
“Developers have become much more security-aware and selective of their tool of choice, and I see this increasing as modern languages like Swift and Go are becoming fashionable,” he said.
Second, given that FSIs have an internet presence, “many open source components make up the front-end web and mobile solutions,” Ashworth said. That means software composition analysis (SCA) is “essential to pre-vet their selection and mitigate third-party risk,” he said. The Black Duck SCA by Synopsys tool focuses on that—helping to find and fix defects or licensing conflicts in open source software.
Finally, Ashworth said interactive application security testing (IAST) Synopsys tool, Seeker, “is gaining in appeal and perhaps is an as yet untapped gem of a technology that has great potential, especially as we see more adoption of microservice architectures and the desire to report proven high impact issues.”
Besides application security testing tools, there are the risks to being in the cloud.
As the latest Building Security In Maturity Model report from Synopsys put it, “cloud providers are 100% responsible for providing security software for organizations to use, but the organizations are 100% responsible for software security. Organizations that weren’t doing software security well in their private data centers are likely not doing software security well in the cloud either.”
“You expose yourself to the cloud and you suddenly have to learn all about cloud configurations and secure networking,” Ashworth said, “and then you’ve got all the worries of operational security because you’re now facing everything through the Internet—a public interface—rather than through a closed network where you were talking to a teller across a desk.”
Or, as Morris noted, “One of the big sales pitches is ‘Hey, come to the cloud, it’s all pre-done for you, it’s very secure; happy days—move over.’ The reality of it all is yes, parts of it are secure but you are still responsible to ensure that cloud instance is configured effectively.”
All of which means that “Sec” must become embedded into DevOps. And that, both Ashworth and Morris say, is where Synopsys can help.
Morris said Synopsys conducts BSIMM assessments to evaluate the maturity of an organization’s software security initiative. “And we develop Maturity Action Plans to help define the roadmaps and action plans for improving their maturity,” Morris said.
“The impression people get is that security takes more time and costs more, so by integrating our tools with groups of individuals that have experience and an understanding of how to implement these things effectively into organizations, all the change elements that you would get in a normal business are applied into the DevSecOps world,” Morris said.
“That’s what Synopsys can really bring. The best analogy is that rather than just give someone a set of golf clubs, we are teaching them how to play golf.”