When you think of the term "hacker," you probably imagine Guy-Fawkes-wearing teenagers hacking celebrity iCloud accounts, or Russians with zombie servers crawling the web for vulnerable credit card information. However, it turns out the most dangerous threat facing our IT infrastructure doesn’t come out of a Hollywood summer blockbuster.
The real problem lies in easily identifiable software vulnerabilities that are present in most enterprise applications. These vulnerabilities are like welcome mats for hackers, who can use the exploits to find and collect information, install malware, or crash the application completely. Embarrassingly, we’ve known about these vulnerabilities for two decades.
Recent findings in our ongoing research on application health unearthed an average of 50 to 100 input validation flaws -- much like the issue seen in Heartbleed -- in 70 percent of major financial services applications. If your 2015 IT risk management playbook doesn’t have a plan to stop these vulnerabilities from being introduced into your software, you’re leaving your organization open to some serious risk in the future.
No easy button
Unfortunately, there isn’t a “more secure” button you can press for a bulletproof application portfolio. The entire software creation process is a balancing act among robustness, security, and speed of delivery. If you want your application to be ready as quickly as possible, you’ll have to cut a few corners around robustness. And on Wall Street, that’s exactly what we try to do.
[Learn more about security for the Internet of Things at Interop's Internet of Things Summit on Monday, September 29].
Wall Street is inherently a risk-taking culture where the goal is to always try to make money before the other guy does. So it makes sense to roll the dice and push an application into production that might not have airtight security. Besides, our rockstar programmers know what they’re doing and can fix it once they find any holes. But applications are getting ever more complex and distributed, even for the rockstars to handle, and the more quality sacrificed in favor of the schedule, the less robust and secure the result.
It’s not the rockstar programmers who are to blame for leaving security vulnerabilities in the code. Developers in the financial services industry are some of the best at what they do, but they’re faced with tough constraints. They are under incredible pressure to deliver a sound product on time, and one that performs fast. Certain pockets of the industry turn to the programming languages C and C++ because they offer very detailed control over how an application accesses the computer’s memory, which can greatly increase the performance. But it requires a lot of examination and defensive coding to ensure an application’s security is airtight before going into production.
Many security experts claim that coding in C and C++ at all is a liability. But until more modern programming languages can meet or exceed their performance, developers in ultra-high speed environments aren’t going to be switching anytime soon. That means they’ll need to find a way to incorporate secure coding practices with their high-performance coding practices so they don’t leave tiny slivers of their systems open to hackers.
Since most financial services applications are multi-component, multi-tier, and multi-technology, it requires a panoramic technical understanding across the application architecture to spot resilience and security problems. And even though you might be paying your developers like the starting lineup of the New York Yankees, that level of technical understanding is beyond even the best of the best. It is inappropriate and unfair to ask developers to self-manage systems that are beyond their scope.
It’s time for IT management to stop leaving the question of robustness and security purely to the technologists. While you may not be able to describe the inner workings of the architectural framework of your company’s software, today’s managers can direct their development teams with a layer of technical product governance that provides real-time analytics for robustness, security, and performance.
This might sound daunting, but it doesn’t require going back to school, or changing programming languages, or ripping out your entire infrastructure and starting from scratch. It just requires a change in attitude:
- It doesn’t matter how talented your programmers are; development does require adult supervision.
- You have to measure more than speed to delivery; robustness and security should be KPIs that affect compensation as well.
- Deployment decisions should be based on more than launch days and gut reactions; real-time robustness and security analytics can help reduce costs and security incidents in the future.
By putting an end to these easily identifiable software vulnerabilities, we can begin to stem the tide of software glitches and hacks that have been sweeping through financial services over the past decade. Or, at the very least, take away the welcome mat hackers have been using for years without consequence.Lev Lesokhin is executive vice president of strategy for CAST. He is responsible for market development, strategy, thought leadership and product marketing worldwide. He has a passion for making customers successful, building the ecosystem, and advancing the state of the art ... View Full Bio