The good news is: At a time when banking regulators are focused on the criticality of application security as part of an institution's core risk management program, U.S. banking institutions generally are confident in their in-house developed apps.

In a survey of more than 100 banking/security leaders, 57% of respondents say they are somewhat or very confident in their own applications, and 90% say application security is somewhat or a significant part of their overall information security programs.

The bad news is: When it comes to applications developed or managed by third-party service providers, 81% are only somewhat or not at all confident in the security, and this faith erodes even further with large institutions ($2 billion or more in assets under management), where 91% are only somewhat/not at all confident.

These are the key findings of this survey aimed at gauging the scope and strength of institutions' application security programs. The survey, administered electronically in August, drew more than 100 responses from financial institutions of all sizes.

Beyond confidence, institutions were also polled about assessment and testing. Asked whether they assess all business-critical applications for vulnerabilities, 88% say always or on a case-by-case basis.

Yet, only 55% of respondents test their application security controls annually. The rest test on no set schedule (28%), before a regulatory exam (10%) or don't know/not at all (7%).

And when application vulnerabilities are found? Only 51% of respondents have an effective, recurring process to monitor, identify and remediate these issues. Forty-nine % have an informal process (25%), none at all (17%) or plain don't know (7%).

How confident are you in the general security of your in-house developed applications?

 

How confident are you in the general security of applications developed or managed by third-party service providers?