Security by design in the fintech sector

Editorial & Advertiser disclosure

Global Banking and Finance Review is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.

Top Stories

Posted By Gbaf News

Posted on August 14, 2018

Security by design in the fintech sector

Phil Bindley, managing director at The Bunker

In recent years, the fintech industry has placed an emphasis on strengthening its defences against evolving cyber threats as sensitive data becomes more at risk to willing cyber criminals.

In fact, very recently, the World Economic Forum has led the creation of an industry consortium dedicated to improving cyber security in the fintech sector. These are positive steps, but it is worth bearing in mind that embedding security in everything from the get-go will help the cause even further.

One of the most debated areas in the software development arena is the importance of embedded security testing within the Software Development Life Cycle (SDLC). The juxtaposition of developing software in an agile manner and delivering the functionality and end user experience can create challenges, especially in the fintech sector where there are a lot of moving parts. However, if it is adopted successfully and balanced against a robust approach to security testing at all stages of the SDLC, this can result in code that delivers on both business and user requirements.

As data privacy and security becomes more paramount, fintech software developers need to invest in adopting a culture of security and realise the consequential benefits of doing so.

Balancing security with software development can be a tricky task – the requirement to develop at pace and enrich financial applications is the primary goal of a development team. But driving the product to deliver the functionality and a user-friendly experience demanded by the consumer should also be a priority, while making sure you are one step ahead of the competition. Then there is also recognising the costs incurred to the business when development delays happen for whatever reason.

However, integrated and embedded security testing should not be seen as just a tick-box exercise – it is simply sound business practice. Not only that, but it also makes commercial sense.

Alert Logic’s 2017 Cloud Security Report revealed that 73% of attacks are directed towards the web application layer. With insecure coding practices being stated as one of, if not, the singular most reason for this chosen attack vector, it is paramount that software developers and vendors recognise the vital nature of this and take proactive steps towards addressing this issue.

Software development is a complex process with different teams responsible for developing certain facets of the application. The danger is that this can lead to doors being opened to security threats. To counter this, a holistic approach is required to ingrain a responsible and pragmatic approach to the continual testing of the application’s security.

A typical process would begin at concept, functional requirements and specifications, technical requirements and specifications, design, coding and testing. This is all well and good and will bring the product to market quickly.However, without having security built in from the beginning, there are a number of potential risks to the sensitive information contained within fintech applications and software that won’t be addressed.

Information security principles such as the General Data Protection Regulation and requirements specific to the sector, including PCIDSS need to be considered at the conceptual, functional and technical stages of the product development. Enterprise security architecture and product standards should then be taken into account at the design stage, and the software should then be coded using development standards, practices, libraries and coding examples. Testing plans which detail the scope, approach, resources and schedule of intended test activities should also show how to verify each security requirement at the point at which the software is implemented. Procedures that address integrating existing authentication, access controls, encryption and backup will also need to be thought about.

It can be seen as an onerous process and counter intuitive at the beginning,especially with the added layers of complexity, time and cost to the SDLC, but it is important to consider how having these controls in place could benefit your product and business in the long-run.

Recommended for you