What Does Compliance With OWASP Really Mean for Financial Institutions?
The latest Cost of Cyber Crime study by Accenture found financial services among the most targeted and vulnerable industries, with breaches tripling over the past five years. The financial services industry faces a multitude of cybersecurity challenges, one being the myriad of applications used and developed containing valuable transactional data and PII. Improper application development exposes vulnerabilities for hackers to target.
According to Contrast Labs research the top 5 application vulnerabilities include:
Phishing simulations & training
- Sensitive data exposure – affects 69 percent of applications
- Cross-site request forgery – affects 55 percent of applications
- Broken authentication and session management – affects 41 percent of applications
- Security misconfiguration – affects 37 percent of applications
- Missing function level access control – affects 33 percent of applications
Additional research found of the software applications tested, 80% had at least one vulnerability. Since 87% of cybercrime costs in financial institutions attribute to business disruption and data loss and only 13% in revenue loss, the long-tail aftermath of data compromise far outway revenue lost. Securing your network with proper application development starts with OWASP compliance.
How OWASP Compliance Mitigates Risk for Financial Institutions
Web application vulnerabilities are often the entry point of a successful phishing campaign. An application vulnerability is a weakness that can be exploited to compromise an application, attacking confidentiality, integrity or availability known as the CIA triad.
Due to the sensitive nature of the transactions and data housed by financial service applications, there are many additional government and appointed council regulations for privacy protection. Common policy practice mandates awareness training for OWASP’s Top 10 application vulnerabilities to comply with financial services PCI and PII requirements.
Open Web Application Security Project (OWASP) focuses on improving the security of software by providing impartial, practical information on best practices and proactive controls. This well-respected organization was established to help financial institutions and other industries meet their Application Security Verification Standard (ASVS) and Payment Card Industry (PCI) requirements. OWASP proactive application controls educate and prioritize key components of application security to protect data and maintain the integrity of a software’s foundation (CIA triad).
Using OWASP top 10 for your compliance framework:
ASVS — OWASP checklist helps to evaluate and test your application to meet ISO 27001 requirements allowing for formal audits and compliance certification
PCI — Annual PCI compliance requires review of OWASP’s top-ten to create awareness and validate your applications adhere to these secure coding standards
OWASP Compliance with SecurityIQ
Managing policy and compliance requirements is easy with SecurityIQ, a leading security awareness training and phishing simulation platform. Our OWASP Top 10 resources reflect the newest 2017 risk list. These ten short and digestible interactive training modules meet your policy needs while educating on the fundamentals of secure coding and raising awareness to the vulnerabilities and possible damages.
SecurityIQ’s OWASP Top 10 Training Modules:
- Injection — details different types of injection and suggest effective mitigation strategies for the workplace
- Broken Authentication & Session Management — explains how it can allow attackers to assume other users’ identities
- Sensitive Data Exposure — demonstrates how sensitive data such as financial and PII can be used to steal or modify information and commit fraud
- External Entities (XXE) — covers how XXE attacks are executed and how to prevent those attacks on your application
- Broken Access Control — explains how broken access control can be leveraged to access others’ accounts, view sensitive files, modify user data and change access rights
- Security Misconfiguration — teaches how to define secure settings for all application components, and explain the dangers of insecure defaults and outdated software
- Cross-Site Scripting (XSS) — explains three types of XSS attacks and suggest XXS prevention measures
- Insecure Deserialization — overs best practices for serialization - the process of turning data objects into binary streams of data
- Components with Known Vulnerabilities — discusses use of components with known vulnerabilities that may undermine application defenses and enable various attacks
- Insufficient Logging & Monitoring — covers the risks associated with improper monitoring
Coming in August — OWASP Expanded Series!
We’re excited to announce an expansion of our current OWASP series, adding training modules for OWASP Top 25 in August! Customize your awareness program for developers and meet annual audit demands by delivering the right training to the right employees at the right time.
Establishing a baseline with a free phishing diagnostic test from SecurityIQ is a great way to evaluate your team’s phishing susceptibility and kick-off your awareness program. Once you know who’s vulnerable, you can enroll them in training using any of the 300+ interactive training modules — including 25+ tailored to financial services! Learn more.
See Infosec IQ in action
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
In this Series
- What Does Compliance With OWASP Really Mean for Financial Institutions?
- Tax scam season: How to protect your data from common scams in 2024
- Security awareness for kids: Tips for safe internet use
- Celebrate Data Privacy Week: Free privacy and security awareness resources
- Consumer data, who owns it and who protects it?
- Human error is responsible for 74% of data breaches
- What is a social engineering attack?
- Biggest cybersecurity mistakes by large organizations
- 4 common social media scams (and how to avoid them)
- From theory to practice: Designing a successful security awareness training program
- Understanding cyberattacks: Types, risks and prevention strategies
- Securing digital frontiers: The importance of information and IT security awareness training
- Optimizing your corporate security awareness training: Strategies and techniques
- What is security awareness: Definition, history and types
- Top 10 security awareness training topics for your employees in 2023 and beyond
- AI best practices: How to securely use tools like ChatGPT
- Connecting a malicious thumb drive: An undetectable cyberattack
- 5 ways to prevent APT ransomware attacks
- 4 mistakes every higher ed IT leader should avoid when building a cybersecurity awareness program
- ISO 27001 security awareness training: How to achieve compliance
- Run your security awareness program like a marketer with these campaign kits
- Deepfake phishing: Can you trust that call from the CEO?
- Fake shopping stores: A real and dangerous threat
- 10 best security awareness training vendors in 2022
- How to hack two-factor authentication: Which type is most secure?
- Malicious push notifications: Is that a real or fake Windows Defender update?
- Free Cybersecurity and Infrastructure Security Agency (CISA) ransomware resources to help reduce your risk
- How IIE moved mountains to build a culture of cybersecurity
- At Johnson County Government, success starts with engaging employees
- How to transform compliance training into a catalyst for behavior change
- Specialty Steel Works turns cyber skills into life skills
- The other sextortion: Data breach extortion and how to spot it
- Texas HB 3834: Security awareness training requirements for state employees
- SOCs spend nearly a quarter of their time on email security
- Security awareness manager: Is it the career for you?
- Risks of preinstalled smartphone malware in a BYOD environment
- The ROI of security awareness training
- 5 reasons to implement a self-doxxing program at your organization
- What is a security champion? Definition, necessity and employee empowerment [Updated 2021]
- Excel 4.0 malicious macro exploits: What you need to know
- Worst passwords of the decade: A historical analysis
- ID for Facebook, Twitter and other sites? Not so fast, says security expert
- 3 surprising ways your password could be hacked
- Fake online shopping websites: 6 ways to identify a fraudulent shopping website
- All about carding (for noobs only) [updated 2021]
- Password security: Complexity vs. length [updated 2021]
- What senior citizens need to know about security awareness
- 55 federal and state regulations that require employee security awareness and training
- Brand impersonation attacks targeting SMB organizations
- How to avoid getting locked out of your own account with multi-factor authentication
- Breached passwords: The most frequently used and compromised passwords of the year
We’ll customize our demo to your
- Security awareness goals
- Existing security and employee training tools
- Industry and compliance requirements
Security awareness
Tax scam season: How to protect your data from common scams in 2024
Security awareness
Security awareness
Celebrate Data Privacy Week: Free privacy and security awareness resources
Security awareness