Four in five Swedish banks and financial institutions use web technology components with known vulnerabilities. It is time for the financial industry to improve its focus and oversight of components used in business critical solutions.
Words from Daniel Parmenvik, CEO and Head of IT Security Product Bytesafe. The company investigated the use of open source components with known vulnerabilities among members of the Swedish Banking Association.
– “The result was disappointing and not good enough. Up to 78% of the websites examined used at least one component with security vulnerabilities, ”explains Daniel Parmenvik.
As well as the lack of transparency, where the economic actors who are responsible for it, ignore the risks.
– “In many cases developers have a good idea of what components are currently in use, but organizations lack the comprehensive tools to manage applications over time.
At the same time, the business side is often more interested in current projects rather than investing time in the details of IT security, ”explains Daniel Parmenvik.
Much of modern applications are made up of out-of-the-box components that people outside the organization have developed, most often in the form of open source components.
The benefits of reusing code are obvious: reducing costs and speeding up the pace of development. At the same time, it introduces a risk when reusing external code from resources outside the direct control of an organization.
– “In general, organizations do not properly control the components and versions used in their applications and their age. In our study, for example, we found components that were over 12 years old, increasing the risk of safety problems, ”explains Daniel Parmenvik.
The way forward, he said, is to introduce better systems that constantly monitor the software components in use and warn if new vulnerabilities emerge.
– “Vulnerabilities are discovered over time and organizations must implement processes and tools that continuously examine components to reduce IT risks.
Using components directly from public code libraries without any sort of oversight can be very dangerous, ”explains Daniel Parmenvik.