Technology
8 min read

Cybersecurity in Banking: 6 Best Practices to Follow for a Secure Software Development Lifecycle

Phishing attacks, data leaks, ransomware infections… All of this can happen with any business that doesn’t pay enough attention to secure product development. To help you stay on the safe side, we compiled a list of the most common security risks to watch out for and 6 data security practices to adopt.
Written by
Jannis Rufatti
Published on
February 27, 2024
Read time
8 min read

In January 2023, the U.K. Royal Mail got hit by ransomware, forcing the company to stop sending letters and parcels overseas. Although initiated by a phishing attack, this incident could have been avoided if the company had implemented robust authentication and cybersecurity measures across all its services. But instead, they had legacy systems in place – and there is nothing more vulnerable than legacy technology. This highlights the growing cybersecurity risks associated with outdated systems and the need for proactive strategies.

Today every organization, big and small, faces security challenges. To overcome these challenges, it’s not enough to teach your employees to be careful and avoid clicking on suspicious links. Security needs to be an integral element of your Secure SDLC (Software Development Lifecycle).

In this article, we’ll talk about what secure SDLC is and offer 6 security best practices supported by examples from our experience.

What is the Secure Software Development Lifecycle (SSDLC)?

Secure Software Development Lifecycle (SDLC) is a systematic approach to integrating security into the software development process, often achieved by adopting a security-by-design practice. In the banking industry, this approach is crucial due to the sector's vulnerability to various cyberattacks. Rather than treating security as an add-on at later stages, development teams take a proactive approach and integrate security from the very start.

By identifying and mitigating security risks early in the development process, development teams can reduce the likelihood of security vulnerabilities and breaches in the final product.

Cyber security is paramount in the banking sector, where constant vigilance against evolving cyber threats is necessary to protect sensitive data and maintain financial stability.

At Modeso, we start our development process with security in mind, meaning we define security risks yet at the requirements stage to protect our clients’ data and avoid reputational risks. This is how we build software that is resilient and secure – as demonstrated in our recent projects.

But why is secure SDLC that important for businesses to follow no matter what? Let’s clear things out.

Understanding the importance of secure SDLC

As we briefly mentioned, SDLC is a critical aspect when talking about cyber security in banking. It involves integrating security into every phase of the software development process, from design to deployment. This approach helps financial institutions identify and address potential security vulnerabilities early on, reducing the risk of data breaches and cyber attacks.

A secure SDLC ensures that software applications are designed with security in mind, making it more difficult for cybercriminals to exploit vulnerabilities. This is particularly important in the banking sector, where sensitive customer data and financial information are at risk.

By implementing a secure SDLC, financial institutions can:

  • Identify and address security vulnerabilities early in the development process
  • Reduce the risk of data breaches and cyber attacks
  • Improve the overall security posture of their software applications
  • Enhance customer trust and confidence in their online banking services
  • Comply with regulatory requirements and industry standards for cybersecurity

In this regard, some best practices for implementing a secure SDLC in banking include:

  • Conducting regular security audits and risk assessments
  • Implementing secure coding practices and code reviews
  • Using secure development frameworks and tools
  • Conducting penetration testing and vulnerability assessments
  • Providing ongoing security training and awareness for developers

By prioritizing these practices, financial institutions can build robust and secure software systems that protect customer data and maintain the integrity of financial transactions, while avoiding some major security risks. But what risks are we talking about?

The most common security risks to look out for

Insecure data storage, low-quality code, outdated infrastructure, and the list goes on. The way your software is built often determines whether it will suffer from vulnerabilities and let in threats, increasing the overall cyber risk. Here are the most common security risks we often come across in our work:

A significant concern is the potential for a data breach, which can lead to operational costs, loss of customer trust, and reputational damage.

Legacy software

Outdated technology, lack of support, insecure code, compliance issues, and limited integration ‒ that’s what we call a classic legacy software system. So it doesn’t come as a surprise that it’s an easy target for security threats. The same can be said about software lacking regular maintenance ‒ such systems are also in danger of being attacked. To keep banking institutions cyber secure, it is crucial to address these vulnerabilities through regular updates, adherence to regulatory best practices, and comprehensive cybersecurity frameworks.

Poorly written code

When code lacks clarity, organization, and adherence to the best practices such as input validation, output encoding, error handling, and more, it becomes more prone to security vulnerabilities and flaws.

Insecure authentication and authorization mechanisms

Weak authentication practices, such as inadequate password policies or storing credentials improperly, open the path for hackers to gain unauthorized access to sensitive data or functionalities.

Vulnerable third-party services

If your software requires third-party integrations, it’s necessary to evaluate how secure these third parties are, especially when dealing with financial systems. Their flaws might serve as an entry point for attackers to gain access to your sensitive data.

Insecure storage

When data is stored insecurely, it becomes vulnerable to unauthorized access, manipulation, or theft by malicious actors. What's more, it can lead to compliance violations resulting in severe penalties, fines, and legal consequences for an organization.

Core principles to secure your data

To mitigate security risks for our clients and safeguard their sensitive data, we implement comprehensive security solutions and set up a secure SDLC characterized by the following practices:

Effective risk management strategies are also crucial in addressing vulnerabilities brought by third-party integrations and adhering to financial industry standards.

Practice 1: Follow OWASP standards

OWASP, or Open Web Application Security Project, is a non-profit foundation that provides free tools and documentation to build and maintain secure web applications in the financial services sector. Its resources include OWASP API Security Top 10, a comprehensive guide that assists developers and organizations in prioritizing security measures and mitigating the most impactful security risks of application programming interfaces. Here’s the 2023 update of OWASP API Security Top 10:

API Security Top 10 2023
API1:2023 - Broken Object Level Authorization
API2:2023 - Broken Authentication
API3:2023 - Broken Object Property Level Authorization
API4:2023 - Unrestricted Resource Consumption
API5:2023 - Broken Function Level Authorization
API6:2023 - Unrestricted Access to Sensitive Business Flows
API7:2023 - Server Side Request Forgery
API8:2023 - Security Misconfiguration
API9:2023 - Improper Inventory Management
API10:2023 - Unsafe Consumption of APIs

For a better understanding, let’s look closer at one of the risks outlined ‒ Broken Authentication. OWASP provides a comprehensive overview of the vulnerability itself, including ways to prevent it, threat agents, security weaknesses, impacts, example attack scenarios, and more. By thoroughly examining the risk, developers can adopt proactive measures to mitigate its impact during the development process.

Now, let’s see how prioritizing security standards was put into action in our collaboration with Würth Financial Services, Switzerland’s leading insurance broker, and TWINT, the most popular payment app in the country.

We joined the project to help develop Insurhub – an app that aggregates insurance products from various providers and offers them to private clients through the TWINT app.

Security was a top priority for Insurhub, given the sensitive nature of payment information and user data. To protect sensitive information, we used encryption and stringent access controls to ensure that unauthorized access is prevented, while our code changes underwent thorough review processes to maintain integrity.

Practice 2: Perform penetration tests for systems dealing with sensitive data in financial institutions

Penetration testing, or simply pen testing, involves simulating real-world cyberattacks on a computer system, network, or application to identify vulnerabilities and weaknesses. By testing the security measures implemented in the software, pen testing evaluates their effectiveness in mitigating cybersecurity risks, cyber threats, and protecting data assets.

Not every project requires penetration testing. It’s more common in fintech and medtech where sensitive user data is at stake. Because penetration testing requires specialized expertise in place, we usually engage a reliable third-party partner to conduct it for our clients.

When working with TWINT on three other projects ‒ Digital Voucher, Super Deals, and Storefinder – our security measures included penetration tests. To identify potential security vulnerabilities, our partners conducted tests covering a range of aspects, including network configurations, application vulnerabilities, and user access controls.

Practice 3: Choose a secure integration strategy

To mitigate risks associated with connecting disparate systems, applications, or networks in the financial sector, it’s essential to choose a secure integration strategy. It ensures that sensitive data transferred between systems remains protected from unauthorized access or interception. Organizations can safeguard data integrity and confidentiality by implementing encryption, access controls, and secure communication protocols.

We always have contractual obligations with third-party systems or services we integrate with, so such integrations are unlikely to pose any threats. We also implement authentication mechanisms like token-based and permission-based authentication to protect valuable data and secure its transfer. To identify vulnerabilities in dependencies, we use Dependabot. It scans the default branch of the repository to detect insecure dependencies and sends alerts so that a package is updated to a secure version or replaced with a secure alternative.

While integration partners may not always pose a threat, there are situations where risks may come from the company’s internal legacy systems. This is often the case in projects requiring the modernization of existing software while maintaining necessary integrations with legacy systems.

For example, in our collaboration with Albin Kistler, a prominent wealth manager in Switzerland, we needed to rebuild their custom-made database into a modern platform for investment portfolio analysis. The existing system relied on the outdated infrastructure which posed, among other things, security vulnerabilities. To eliminate security risks, we hosted the platform on a private cloud and implemented robust data validation measures when migrating data from the legacy system to the newly implemented solution.

Practice 4: Secure data storage to prevent data breaches

The data storage you choose plays a crucial role in safeguarding against data breaches and unauthorized access, especially within the financial industry. Implementing secure data storage involves employing encryption techniques to protect data both at rest and in transit. Access controls and authentication mechanisms should be established to restrict unauthorized access to stored data. Regular data backups and disaster recovery plans should also be in place to mitigate the impact of potential data loss incidents.

Choosing reputable hosting providers with robust security measures and compliance certifications, such as AWS and GCP, can further enhance data protection efforts.

When considering where to host data, it’s crucial to prioritize locations that offer added legal and regulatory protections. Typically, we opt for GCP and AWS as our cloud providers. Given that most of our clients are situated in Switzerland, we store their data in data centers located within the country.

Practice 5: Access control and permissions

Limiting access to critical assets means controlling who can reach sensitive data or important systems. Let's say your system has three user roles ‒ an administrator, manager, and employee. An administrator has full access to all system resources, settings, and functionalities, while a manager can access solely system resources and data related to their department. An employee, in turn, has access only to essential tools, applications, and data required to perform their direct job responsibilities.

To confirm someone's identity before letting them in, developers usually use methods like passwords, biometrics, or multi-factor authentication. This way, they keep valuable data safe and make sure it stays private and accessible only to those who should have it.

We implement permission-based access control on almost every project we work with. One example is our collaboration with Rietman & Partner, a Swiss auditor and tax consultant.

Here we needed to develop a custom system that streamlines the company's auditing procedures. The core functionality of the system revolves around a set of rules governing the audit workflow. To safeguard data privacy and integrity, we established access controls where different user roles, such as auditors and lead auditors, can be allocated specific permissions for visibility and editing privileges, ensuring users engage solely with data relevant to their responsibilities.

Practice 6: Automate security with DevSecOps to mitigate cyber attacks

To ensure the continuous delivery of secure software, you can integrate security practices into your DevOps workflow. This practice is called DevSecOps, and it's a great way to automate security processes throughout your software development lifecycle. It allows you to identify and remediate security vulnerabilities more efficiently.

DevSecOps includes incorporating security checks and tests into the CI/CD pipeline, such as static code analysis, vulnerability scanning, and automated penetration testing. Automated security tools can enforce compliance with security policies and standards, ensuring that security is not overlooked during the development process.

By adopting DevSecOps practices, software development teams can proactively address security concerns while maintaining the agility and speed of the DevOps approach.

But apart from the technical side of things, we should consider one more aspect. To some extent, it is more important than any robust business solution or teaming up with vetted developers who know everything about cyber security in the financial sector. And we’re talking about employee training and awareness.

Why are employee Training and awareness crucial for data security? Things training programs should include

Employee training and awareness are critical components of cybersecurity in banking. Financial institutions must educate their employees on the importance of cybersecurity and the role they play in protecting sensitive customer data and financial information.

Cybersecurity awareness training should cover topics such as:

  • Phishing and social engineering attacks
  • Password management and authentication
  • Data encryption and protection
  • Network security and access controls
  • Incident response and reporting

Regular training and awareness programs can help employees:

  • Identify and report potential security threats
  • Use secure practices and protocols when handling sensitive data
  • Avoid common cybersecurity mistakes and pitfalls
  • Respond effectively in the event of a security incident
  • Maintain a culture of cybersecurity awareness and responsibility

Some best practices for employee training and awareness in banking include:

  • Providing regular training and awareness programs
  • Using interactive and engaging training methods
  • Conducting phishing simulations and security drills
  • Encouraging employee participation and feedback
  • Recognizing and rewarding employees for their cybersecurity efforts

This proactive approach will help you not only protect sensitive data but will also foster a culture of security within the organization, ensuring that all employees are vigilant and prepared to handle potential cyber threats.

Develop secure software with Modeso

In conclusion, developing secure software requires a holistic approach that prioritizes security throughout the SDLC, especially in the realm of banking cybersecurity. By adhering to best practices and leveraging our expertise at Modeso, you can ensure that your software remains resilient and protected against evolving security threats. if you’re interested in building scalable and secure custom applications in line with security best practices.

TABLE OF CONTENT
Weekly newsletter
No spam. Just the latest releases and tips, interesting articles, and exclusive interviews in your inbox every week.
Read about our privacy policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Header image
Preferences

Privacy is important to us, so you have the option of disabling certain types of storage that may not be necessary for the basic functioning of the website. Blocking categories may impact your experience on the website. More information

Accept all cookies

These items are required to enable basic website functionality.

Always active

These items are used to deliver advertising that is more relevant to you and your interests.

These items allow the website to remember choices you make (such as your user name, language, or the region you are in) and provide enhanced, more personal features.

These items help the website operator understand how its website performs, how visitors interact with the site, and whether there may be technical issues.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.