What Does Compliance With OWASP Really Mean for Financial Institutions?
The latest Cost of Cyber Crime study by Accenture found financial services among the most targeted and vulnerable industries, with breaches tripling over the past five years. The financial services industry faces a multitude of cybersecurity challenges, one being the myriad of applications used and developed containing valuable transactional data and PII. Improper application development exposes vulnerabilities for hackers to target.
According to Contrast Labs research the top 5 application vulnerabilities include:
Phishing simulations & training
- Sensitive data exposure – affects 69 percent of applications
- Cross-site request forgery – affects 55 percent of applications
- Broken authentication and session management – affects 41 percent of applications
- Security misconfiguration – affects 37 percent of applications
- Missing function level access control – affects 33 percent of applications
Additional research found of the software applications tested, 80% had at least one vulnerability. Since 87% of cybercrime costs in financial institutions attribute to business disruption and data loss and only 13% in revenue loss, the long-tail aftermath of data compromise far outway revenue lost. Securing your network with proper application development starts with OWASP compliance.
How OWASP Compliance Mitigates Risk for Financial Institutions
Web application vulnerabilities are often the entry point of a successful phishing campaign. An application vulnerability is a weakness that can be exploited to compromise an application, attacking confidentiality, integrity or availability known as the CIA triad.
Due to the sensitive nature of the transactions and data housed by financial service applications, there are many additional government and appointed council regulations for privacy protection. Common policy practice mandates awareness training for OWASP’s Top 10 application vulnerabilities to comply with financial services PCI and PII requirements.
Open Web Application Security Project (OWASP) focuses on improving the security of software by providing impartial, practical information on best practices and proactive controls. This well-respected organization was established to help financial institutions and other industries meet their Application Security Verification Standard (ASVS) and Payment Card Industry (PCI) requirements. OWASP proactive application controls educate and prioritize key components of application security to protect data and maintain the integrity of a software’s foundation (CIA triad).
Using OWASP top 10 for your compliance framework:
ASVS — OWASP checklist helps to evaluate and test your application to meet ISO 27001 requirements allowing for formal audits and compliance certification
PCI — Annual PCI compliance requires review of OWASP’s top-ten to create awareness and validate your applications adhere to these secure coding standards
OWASP Compliance with SecurityIQ
Managing policy and compliance requirements is easy with SecurityIQ, a leading security awareness training and phishing simulation platform. Our OWASP Top 10 resources reflect the newest 2017 risk list. These ten short and digestible interactive training modules meet your policy needs while educating on the fundamentals of secure coding and raising awareness to the vulnerabilities and possible damages.
SecurityIQ’s OWASP Top 10 Training Modules:
- Injection — details different types of injection and suggest effective mitigation strategies for the workplace
- Broken Authentication & Session Management — explains how it can allow attackers to assume other users’ identities
- Sensitive Data Exposure — demonstrates how sensitive data such as financial and PII can be used to steal or modify information and commit fraud
- External Entities (XXE) — covers how XXE attacks are executed and how to prevent those attacks on your application
- Broken Access Control — explains how broken access control can be leveraged to access others’ accounts, view sensitive files, modify user data and change access rights
- Security Misconfiguration — teaches how to define secure settings for all application components, and explain the dangers of insecure defaults and outdated software
- Cross-Site Scripting (XSS) — explains three types of XSS attacks and suggest XXS prevention measures
- Insecure Deserialization — overs best practices for serialization - the process of turning data objects into binary streams of data
- Components with Known Vulnerabilities — discusses use of components with known vulnerabilities that may undermine application defenses and enable various attacks
- Insufficient Logging & Monitoring — covers the risks associated with improper monitoring
Coming in August — OWASP Expanded Series!
We’re excited to announce an expansion of our current OWASP series, adding training modules for OWASP Top 25 in August! Customize your awareness program for developers and meet annual audit demands by delivering the right training to the right employees at the right time.
Establishing a baseline with a free phishing diagnostic test from SecurityIQ is a great way to evaluate your team’s phishing susceptibility and kick-off your awareness program. Once you know who’s vulnerable, you can enroll them in training using any of the 300+ interactive training modules — including 25+ tailored to financial services! Learn more.
See Infosec IQ in action