The CRASH Report, a study of the structural quality of applications, reveals that banks have some work to do when it comes to making their customer-facing applications structurally sound and secure -- especially as they innovate in the mobile channel.
New York-based software analysis company Cast Software recently released its second annual CRASH (Cast Report on Application Software Health) report, a study of the structural quality -- the engineering soundness of the architecture and coding -- of business application software. The study examined 745 enterprise software applications in 160 organizations across industries. For the banking industry, the most significant finding is that while most legacy core banking applications tend to be secure, the newer, customer-facing financial apps tend to have more structural flaws that could cause operational problems such as outages, performance degradation, breaches by unauthorized users and data corruption.
New York-based software analysis company Cast Software recently released its second annual CRASH (Cast Report on Application Software Health) report, a study of the structural quality -- the engineering soundness of the architecture and coding -- of business application software. The study examined 745 enterprise software applications in 160 organizations across industries. For the banking industry, the most significant finding is that while most legacy core banking applications tend to be secure, the newer, customer-facing financial apps tend to have more structural flaws that could cause operational problems such as outages, performance degradation, breaches by unauthorized users and data corruption.
Bill Curtis, senior vice president at Cast Software and co-author of the CRASH report, says that there are a number of reasons for the disparity of structural soundness between older, back-end applications and newer, customer-facing apps. "These large legacy applications usually sit on mainframes and are not exposed to web. It's the exposure to the internet that opens the doors for hackers to come in," he explains, adding, "For 30 or 40 years the IT people at banks have been trying to eliminate all of the security holes in these legacy applications. They've really been working hard over a long period of time and have gotten common weaknesses out of the apps."
The programming language used to write the application also makes a difference in its structural soundness, according to Curtis. He says that many financial core applications have been written in the mature COBOL programming language, while customer-facing apps are being written in newer languages that tend to be less secure. On top of that, he notes, they're often built in several computer languages. "While developers often know a few languages very well, they don't know all of them," he says. "That makes it difficult to look at the entire app to make sure it's structurally sound."
The integration that modern, customer-facing apps require to operate introduces yet another challenge to achieving structural soundness, notes Curtis. "In the old days, we used to just build an application," he says. "Now that application interacts with a lot of other applications, which continues to create new ways to make mistakes. We're constantly learning about new problems."
Key to avoiding and combatting these application problems is continuing education, asserts Curtis. "Software engineering is a relatively new discipline," he says. "Computer science departments don't teach the engineering of how to apply computer science to the applications that run the banks. Once they get out into the real world there's an awful lot to learn."
At the very least, warns Curtis, all developers should be aware of the common known weaknesses that hackers tend to exploit and avoid them when building applications -- which is something he says isn't happening enough now. Banks can point their developers to theCommon Weakness Enumeration website, a free resource that identifies these known weakness, and do upfront inspections of codes against a checklist of them, he notes. Beyond testing and analysis of code design, Curtis says that bank IT departments also must do a static analysis that looks of an entire structure of an application as well as a dynamic analysis that runs the code to look for performance issues.
As banks increasingly innovate in the mobile channel, taking the proper steps to ensure the structural soundness of applications becomes more important than ever, says Curtis. "Security will raise its head in new ways that are more taxing on the bank because of all the different ways hackers can reach them," he says. He acknowledges that mobile applications could be just as secure as other apps, saying, "I don't think we're there today, but we can get there."
No comments:
Post a Comment