The good news is: At a time when banking regulators are focused on the criticality of application security as part of an institution's core risk management program, U.S. banking institutions generally are confident in their in-house developed apps.
In a survey of more than 100 banking/security leaders, 57% of respondents say there are somewhat or very confident in their own applications, and 90% say application security is somewhat or a significant part of their overall information security programs.
The bad news is: When it comes to applications developed or managed by third-party service providers, 81% are only somewhat or not at all confident in the security, and this faith erodes even further with large institutions ($2 billion or more in assets under management), where 91% are only somewhat/not at all confident.
These are the key findings of this survey aimed at gauging the scope and strength of institutions' application security programs. The survey, administered electronically in August, drew more than 100 responses from financial institutions of all sizes.
Beyond confidence, institutions were also polled about assessment and testing. Asked whether they assess all business-critical applications for vulnerabilities, 88% say always or on a case-by-case basis.
Yet, only 55% of respondents test their application security controls annually. The rest test on no set schedule (28%), before a regulatory exam (10%) or don't know/not at all (7%).
And when application vulnerabilities are found? Only 51% of respondents have an effective, recurring process to monitor, identify and remediate these issues. The remaining have an informal process (25%), none at all (17%) or plain don't know (7%).
"Clearly, institutions are saying all the right things about application security," says Tom Field, Editorial Director of ISMG. "But when you probe a little deeper, their actions just don't seem to back up their words - particularly when it comes to applications developed or managed by third-party service providers."
View the Application Security Survey Results Executive Summary now.
About ISMG: With members representing over 13,000 financial institutions, and regular input from federal banking agency officers and their own board of advisors, ISMG delivers webinars and online training that is focused, timely and -- most important -- useful. Presented by actual practitioners and industry experts, each presentation (ranging from 90 minutes to two-plus hours) delivers how-to and practical information on the inner-workings of information security programs at financial institutions.