New Research from Security Compass Benchmarks Application Security Practices within the Financial Services Industry

Study to Act as a Guide for CISOs Uncertain of How to Begin an Application Security Program, Prioritize Budget, and Set Appropriate Goals, Governance and Metrics

Toronto, Ontario, CANADA

TORONTO, ON--(Marketwired - March 07, 2017) - Security Compass, providing organizations with the knowledge, training and technology to make software secure, today announced the results of its first industry benchmark report, Managing Application Security: Insights from Financial Institutions. Conducted during the third and fourth quarters of 2016, Security Compass surveyed CISOs at leading financial institutions to determine application security practices, key business drivers and technology trends driving the sector. The survey findings show that while the majority of financial institutions, 75 percent, view application security as a high or critical priority, only half require third-party security vendors to have a formal policy or program in place. Even more alarming, 74 percent of potential vulnerabilities are either undetected or unfixed.

Agile development, a move toward third-party and cloud-based software, along with increased global regulatory scrutiny is putting new pressures on security teams within financial institutions. Overwhelmed by the enormity of securing entire software portfolios, while meeting regulatory compliance and keeping customer satisfaction high, many organizations struggle to initiate, structure and scale application security programs. With this research, Security Compass set out to create an industry benchmark to help financial institutions better understand how to effectively build their own application security programs and avoid costly lessons learned by their peers.

A summary of key findings follows:

  • Nearly 70 percent of application security teams are composed of a central group of application security experts, with champions in individual teams or business units.
  • Almost all respondents have secure coding standards and guidelines, but most could not validate how widely the standards were being followed.
  • Only eight percent track the amount of money spent on vulnerability remediation.
  • Dynamic analysis (DAST) and static analysis (SAST) tools place 4th and 6th on the list of the most broadly performed security activities out of 16 security activities surveyed. That said, these same tools leave nearly half (46%) of application-level risks undetected.
  • More than half of respondents procure at least 50 percent of their software from third-party vendors, with 17 percent primarily rely on outside software.
  • However, less than 50 percent require third-party vendors to have an application security policy.
  • Only eight percent provide detailed application security requirements as part of third-party software vendor contracts.

"Like the annual Verizon Data Breach Investigations Report (DBIR), we want financial institutions, and companies in all industries, to leverage this report to enhance their business cases, create sound application security programs, and push their agendas forward," said Rohit Sethi, Chief Operating Officer at Security Compass. "As the results of this survey indicate, simply selecting best practices from a secure software development lifecycle (SDLC) framework may not result in an ability to execute. Organizations should select security activities that meet their risk reduction and scalability goals and identify a trusted partner to help deploy an effective and budget friendly AppSec program complete with training, expert consulting and automation."

Survey Methodology

This survey was conducted in-person, by phone and video conference from July-December 2016. Survey respondents consisted of security and risk personnel from 28 of the largest banks, insurance companies, payment companies, and investment firms by market capitalization in the United States and Canada. For complete survey methodology, see page 66 of Managing Application Security: Insights from Financial Institutions. To download a complete copy of the report, visit:

About Security Compass

Security Compass is an information security company that provides professional services, training, and enterprise platform solutions to help companies eliminate security vulnerabilities in mission-critical applications, minimize organizational risk, and easily meet regulatory and compliance standards. With Security Compass as a trusted information security partner, organizations can unify application security with business goals to build better, more secure software at the speed of business. Its flagship platform, SD Elements, is uniquely positioned to help agile organizations manage security throughout the entire software development lifecycle -- from initial planning through to application release. The privately held company is headquartered in Toronto and with global offices in California, New Jersey and India. For more information, visit

Attachment Available:

Contact Information:

Media Contact:
April H. Burghardt
PR Consultant for Security Compass

Executive summary of key findings from, "Managing Application Security: Insights from Financial Institutions."