By providing that kind of training alongside things like incentives for security champions and privilege-based initiatives where only the best, most security-aware developers who have completed their training are allowed to work with critical assets, financial services firms can create a bulwark against even the most determined attackers. In my close workings with global financial institutions, I have experienced first-hand how receptive their security leaders can be to learning programs that align developers and AppSec professionals to common security goals and approach secure coding, in particular, with empathy for developers and how they experience security in their workflow. Developers with the right training can also help to support both modern and legacy applications by examining the existing code that makes up some of the primary vectors used to attack financial institutions. Financial services are among the most attacked sectors of any industry, making it critical that developers operate at the highest level to produce secure code. That training regimen also requires significant flexibility so that developers can learn about the most modern aspects of cybersecurity — for example, how to eliminate API vulnerabilities — while also providing support for legacy languages like COBOL. Ever since people started putting their money into banks and financial institutions, other people have sought to steal those deposits or otherwise fraudulently obtain those protected assets. Today, much of the money held by banks and other financial institutions is in digital form, and many of the sensitive records held by those firms can be just as valuable as the digital currency itself. And adding more fuel to an already challenging fire, in recent years, financial service institutions (FSIs) have also had to deal with increasingly distributed and hybrid workforces, which significantly expands the potential attack surface and adds yet another wrinkle to the challenge of cybersecurity. It requires precise, immersive training programs that are highly customizable and matched to the specific complex environment that a financial services institution is using. But the reasons behind the targeting of financial institutions by threat actors remain much the same as they were in Sutton’s time over 100 years ago: that’s where the money — and at least some valuable personal data — is kept. While the physical security at many banks today is impressive, with huge vaults, bullet-proof glass, silent holdup alarms, guards, and things like exploding dye packets ready to make strongarm robberies much more difficult, it’s often a different story when it comes to cybersecurity. It should also be hands-on, allowing developers to “learn by doing” in continuous contextual bursts that match what they will find in the real financial services environment they are supporting. Many FSI enterprises understand the immense value of having a core of security-aware developers trained in everything from modern cloud and API security to the perils found in legacy systems. Financial institutions require legions of skilled security personnel in order to overcome the many challenges facing their industry. That includes cloud misconfigurations, lax API security, and the many legacy bugs found in applications written in COBOL and other aging computer languages.
This Cyber News was published on feeds.dzone.com. Publication date: Wed, 02 Oct 2024 14:13:06 +0000