Experts in cyber security and software have identified legacy technologies in the financial services (FS) sector to be a major risk.
The 2017 CRASH report from CAST Research Labs aims to identify the global trends in structural software quality in professional organisations. The FS sector was found to be particularly susceptible to attack due to 'legacy' technology.
This refers to outdated systems that have been inherited from previous processes or that have failed to be modernised and brought in line with up-to-date standards.
Software security was assessed by the researchers in 329 organisations across eight countries on the basis of five 'health factors':
- Robustness, meaning the likelihood of outages, data corruption and ease of recovery;
- Security, particularly historical breaches and violations of safe coding practices;
- Performance efficiency and resource use;
- Changeability or ease of updating;
- Transferability, assessing the ability to organise data and learning difficulties.
FS firms displayed inconsistent levels of quality and were found to have significantly lower overall robustness and security scores than, for example, governmental systems.
While this is a cause for concern given the volume of sensitive data stored by such organisations, the report points out that averages were skewed toward a high concentration of poor scores at the lower end of the sector's scale.
Lack of security architecture combined with porous code in legacy systems produce easy targets for hackers.
For example, in the categories of robustness, security and performance efficiency, FS firms had both the highest and lowest health factor scores due to the wide differentiation in size and capability of the included organisations.
Poor performance levels were linked to the prevalence of COBOL code in core transaction systems, which are staple programs in FS, and the prevalence of rarely upgraded applications in combination with new introductions like client mobile apps.
Dr Bill Curtis, Senior Vice President and Chief Scientist at CAST Research Labs, said: “Lack of security architecture combined with porous code in legacy systems produce easy targets for hackers. This is especially concerning in Financial Services applications.
“Despite the push to ‘go digital’ our CRASH Report findings indicate there is a significant amount of bad code lingering in enterprise systems. The takeaway for IT is clear: poor software quality is exposing many businesses to excessive risk.”