In January 2023, the U.K. Royal Mail got hit by ransomware, forcing the company to stop sending letters and parcels overseas. Although initiated by a phishing attack, this incident could have been avoided if the company had implemented robust authentication and cybersecurity measures across all its services. But instead, they had legacy systems in place – and there is nothing more vulnerable than legacy technology. This highlights the growing cybersecurity risks associated with outdated systems and the need for proactive strategies.
Today every organization, big and small, faces security challenges. To overcome these challenges, it’s not enough to teach your employees to be careful and avoid clicking on suspicious links. Security needs to be an integral element of your Secure SDLC (Software Development Lifecycle).
In this article, we’ll talk about what secure SDLC is and offer 6 security best practices supported by examples from our experience.
Secure Software Development Lifecycle (SDLC) is a systematic approach to integrating security into the software development process, often achieved by adopting a security-by-design practice. In the banking industry, this approach is crucial due to the sector's vulnerability to various cyberattacks. Rather than treating security as an add-on at later stages, development teams take a proactive approach and integrate security from the very start.
By identifying and mitigating security risks early in the development process, development teams can reduce the likelihood of security vulnerabilities and breaches in the final product.
Cyber security is paramount in the banking sector, where constant vigilance against evolving cyber threats is necessary to protect sensitive data and maintain financial stability.
At Modeso, we start our development process with security in mind, meaning we define security risks yet at the requirements stage to protect our clients’ data and avoid reputational risks. This is how we build software that is resilient and secure – as demonstrated in our recent projects.
But why is secure SDLC that important for businesses to follow no matter what? Let’s clear things out.
As we briefly mentioned, SDLC is a critical aspect when talking about cyber security in banking. It involves integrating security into every phase of the software development process, from design to deployment. This approach helps financial institutions identify and address potential security vulnerabilities early on, reducing the risk of data breaches and cyber attacks.
A secure SDLC ensures that software applications are designed with security in mind, making it more difficult for cybercriminals to exploit vulnerabilities. This is particularly important in the banking sector, where sensitive customer data and financial information are at risk.
By implementing a secure SDLC, financial institutions can:
In this regard, some best practices for implementing a secure SDLC in banking include:
By prioritizing these practices, financial institutions can build robust and secure software systems that protect customer data and maintain the integrity of financial transactions, while avoiding some major security risks. But what risks are we talking about?
Insecure data storage, low-quality code, outdated infrastructure, and the list goes on. The way your software is built often determines whether it will suffer from vulnerabilities and let in threats, increasing the overall cyber risk. Here are the most common security risks we often come across in our work:
A significant concern is the potential for a data breach, which can lead to operational costs, loss of customer trust, and reputational damage.
Outdated technology, lack of support, insecure code, compliance issues, and limited integration ‒ that’s what we call a classic legacy software system. So it doesn’t come as a surprise that it’s an easy target for security threats. The same can be said about software lacking regular maintenance ‒ such systems are also in danger of being attacked. To keep banking institutions cyber secure, it is crucial to address these vulnerabilities through regular updates, adherence to regulatory best practices, and comprehensive cybersecurity frameworks.
When code lacks clarity, organization, and adherence to the best practices such as input validation, output encoding, error handling, and more, it becomes more prone to security vulnerabilities and flaws.
Weak authentication practices, such as inadequate password policies or storing credentials improperly, open the path for hackers to gain unauthorized access to sensitive data or functionalities.
If your software requires third-party integrations, it’s necessary to evaluate how secure these third parties are, especially when dealing with financial systems. Their flaws might serve as an entry point for attackers to gain access to your sensitive data.
When data is stored insecurely, it becomes vulnerable to unauthorized access, manipulation, or theft by malicious actors. What's more, it can lead to compliance violations resulting in severe penalties, fines, and legal consequences for an organization.
To mitigate security risks for our clients and safeguard their sensitive data, we implement comprehensive security solutions and set up a secure SDLC characterized by the following practices:
Effective risk management strategies are also crucial in addressing vulnerabilities brought by third-party integrations and adhering to financial industry standards.
OWASP, or Open Web Application Security Project, is a non-profit foundation that provides free tools and documentation to build and maintain secure web applications in the financial services sector. Its resources include OWASP API Security Top 10, a comprehensive guide that assists developers and organizations in prioritizing security measures and mitigating the most impactful security risks of application programming interfaces. Here’s the 2023 update of OWASP API Security Top 10:
For a better understanding, let’s look closer at one of the risks outlined ‒ Broken Authentication. OWASP provides a comprehensive overview of the vulnerability itself, including ways to prevent it, threat agents, security weaknesses, impacts, example attack scenarios, and more. By thoroughly examining the risk, developers can adopt proactive measures to mitigate its impact during the development process.
Now, let’s see how prioritizing security standards was put into action in our collaboration with Würth Financial Services, Switzerland’s leading insurance broker, and TWINT, the most popular payment app in the country.
We joined the project to help develop Insurhub – an app that aggregates insurance products from various providers and offers them to private clients through the TWINT app.
Security was a top priority for Insurhub, given the sensitive nature of payment information and user data. To protect sensitive information, we used encryption and stringent access controls to ensure that unauthorized access is prevented, while our code changes underwent thorough review processes to maintain integrity.
Penetration testing, or simply pen testing, involves simulating real-world cyberattacks on a computer system, network, or application to identify vulnerabilities and weaknesses. By testing the security measures implemented in the software, pen testing evaluates their effectiveness in mitigating cybersecurity risks, cyber threats, and protecting data assets.
Not every project requires penetration testing. It’s more common in fintech and medtech where sensitive user data is at stake. Because penetration testing requires specialized expertise in place, we usually engage a reliable third-party partner to conduct it for our clients.
When working with TWINT on three other projects ‒ Digital Voucher, Super Deals, and Storefinder – our security measures included penetration tests. To identify potential security vulnerabilities, our partners conducted tests covering a range of aspects, including network configurations, application vulnerabilities, and user access controls.
To mitigate risks associated with connecting disparate systems, applications, or networks in the financial sector, it’s essential to choose a secure integration strategy. It ensures that sensitive data transferred between systems remains protected from unauthorized access or interception. Organizations can safeguard data integrity and confidentiality by implementing encryption, access controls, and secure communication protocols.
We always have contractual obligations with third-party systems or services we integrate with, so such integrations are unlikely to pose any threats. We also implement authentication mechanisms like token-based and permission-based authentication to protect valuable data and secure its transfer. To identify vulnerabilities in dependencies, we use Dependabot. It scans the default branch of the repository to detect insecure dependencies and sends alerts so that a package is updated to a secure version or replaced with a secure alternative.
While integration partners may not always pose a threat, there are situations where risks may come from the company’s internal legacy systems. This is often the case in projects requiring the modernization of existing software while maintaining necessary integrations with legacy systems.
For example, in our collaboration with Albin Kistler, a prominent wealth manager in Switzerland, we needed to rebuild their custom-made database into a modern platform for investment portfolio analysis. The existing system relied on the outdated infrastructure which posed, among other things, security vulnerabilities. To eliminate security risks, we hosted the platform on a private cloud and implemented robust data validation measures when migrating data from the legacy system to the newly implemented solution.
The data storage you choose plays a crucial role in safeguarding against data breaches and unauthorized access, especially within the financial industry. Implementing secure data storage involves employing encryption techniques to protect data both at rest and in transit. Access controls and authentication mechanisms should be established to restrict unauthorized access to stored data. Regular data backups and disaster recovery plans should also be in place to mitigate the impact of potential data loss incidents.
Choosing reputable hosting providers with robust security measures and compliance certifications, such as AWS and GCP, can further enhance data protection efforts.
When considering where to host data, it’s crucial to prioritize locations that offer added legal and regulatory protections. Typically, we opt for GCP and AWS as our cloud providers. Given that most of our clients are situated in Switzerland, we store their data in data centers located within the country.
Limiting access to critical assets means controlling who can reach sensitive data or important systems. Let's say your system has three user roles ‒ an administrator, manager, and employee. An administrator has full access to all system resources, settings, and functionalities, while a manager can access solely system resources and data related to their department. An employee, in turn, has access only to essential tools, applications, and data required to perform their direct job responsibilities.
To confirm someone's identity before letting them in, developers usually use methods like passwords, biometrics, or multi-factor authentication. This way, they keep valuable data safe and make sure it stays private and accessible only to those who should have it.
We implement permission-based access control on almost every project we work with. One example is our collaboration with Rietman & Partner, a Swiss auditor and tax consultant.
Here we needed to develop a custom system that streamlines the company's auditing procedures. The core functionality of the system revolves around a set of rules governing the audit workflow. To safeguard data privacy and integrity, we established access controls where different user roles, such as auditors and lead auditors, can be allocated specific permissions for visibility and editing privileges, ensuring users engage solely with data relevant to their responsibilities.
To ensure the continuous delivery of secure software, you can integrate security practices into your DevOps workflow. This practice is called DevSecOps, and it's a great way to automate security processes throughout your software development lifecycle. It allows you to identify and remediate security vulnerabilities more efficiently.
DevSecOps includes incorporating security checks and tests into the CI/CD pipeline, such as static code analysis, vulnerability scanning, and automated penetration testing. Automated security tools can enforce compliance with security policies and standards, ensuring that security is not overlooked during the development process.
By adopting DevSecOps practices, software development teams can proactively address security concerns while maintaining the agility and speed of the DevOps approach.
But apart from the technical side of things, we should consider one more aspect. To some extent, it is more important than any robust business solution or teaming up with vetted developers who know everything about cyber security in the financial sector. And we’re talking about employee training and awareness.
Employee training and awareness are critical components of cybersecurity in banking. Financial institutions must educate their employees on the importance of cybersecurity and the role they play in protecting sensitive customer data and financial information.
Cybersecurity awareness training should cover topics such as:
Regular training and awareness programs can help employees:
Some best practices for employee training and awareness in banking include:
This proactive approach will help you not only protect sensitive data but will also foster a culture of security within the organization, ensuring that all employees are vigilant and prepared to handle potential cyber threats.
In conclusion, developing secure software requires a holistic approach that prioritizes security throughout the SDLC, especially in the realm of banking cybersecurity. By adhering to best practices and leveraging our expertise at Modeso, you can ensure that your software remains resilient and protected against evolving security threats. if you’re interested in building scalable and secure custom applications in line with security best practices.
Privacy is important to us, so you have the option of disabling certain types of storage that may not be necessary for the basic functioning of the website. Blocking categories may impact your experience on the website. More information
