As the saying goes, money makes the world go round, and today’s turbulent economic environment demands a stable and secure financial system. People must be confident that they can access their funds and critical financial data whenever they want, without risking theft or loss. For centuries, the global financial system has been built on trust between banks and customers, with a small number of large institutions trading heavily on their reputation for reliability and security to generate lifetime loyalty. In the twentieth century, people were more likely to divorce their spouse than split from their bank.
However, the market has changed. Client demographics have shifted, and the age of the lifetime customer is over. Now, as the digital-native generation starts to assume the lion’s share of economic power, banks urgently need to do more to attract and retain customers. Customer experience is the new battleground and non-traditional market entrants are making the most of their agility to attract customers away from the giants that formerly dominated the sector.
At the same time, open banking facilitated by APIs, and the emergence of third-party platforms in the financial space are creating new opportunities to develop products that blur the boundaries between different types of financial services. This offers enormous potential that financial brands must turn into reality if they want to retain relevance and, ultimately, customers.
The result is a drive for rapid digital transformation at all levels from the monolithic backend operational systems to customer-centric mobile apps and highly personalized online services. Yet, amid all the urgency, established banks are hyper-aware that – as the most intensively regulated and regularly attacked industry in the world – security and compliance considerations have to rank equally high.
Clearing the path to AWS cloud-native financial services software development
Leveraging the cloud to meet these demands for rapid innovation and infinitely scalable product development potential seems like a no-brainer. However, there has been caution among regulators and institutions when it comes to endorsing cloud approaches.
Earlier concerns over security which acted as a brake on cloud migration programs have been overcome, with the European Banking Authority and the Federal Financial Institutions Examinations Council among other national regulators issuing clear guidelines on cloud outsourcing. Nevertheless, the risk-averse character of the industry has seen it lag other sectors. When choosing tools for developing new software and services there is caution and a strong preference for tried-and-tested solutions that are already proven to fit with existing compliance processes and frameworks.
Solutions providers aiming to help these institutions make the transition to cloud-native application development must recognize where they are coming from and tailor their offerings to solve the specific pain points the sector faces. These range from the compliance and governance requirements that must be satisfied before any workloads can be allowed to exist in the cloud, to the ever-present challenge of skills shortages around secure coding. On top of this, organizations need to know that the solution they select will scale while continuing to deliver the same levels of security assurance and governance. Finally, in an environment where development cycles grow ever-faster, application security tools must not have a negative impact on delivery schedules.
Taking all these factors into consideration, Checkmarx and AWS have devised solutions to clear the path to cloud-native application development for financial services organizations. AWS has a wealth of cloud compliance and governance resources designed to support organizations, including the Financial Services Industry Lens – AWS Well-Architected Framework which offers robust guidance on decision-making when building systems on AWS. AWS also offers robust workload isolation solutions that allow financial services organizations to comply with data protection regulations.
When it comes to application security for software developed on AWS, Checkmarx Application Security Platform integrates seamlessly with AWS CodePipeline at key CI/CD pipeline stages to deliver frequent, frictionless, fast code scans and actionable results. This enables developer teams and their AppSec colleagues to work together with a DevSecOps approach, to ensure applications are secure but, crucially, without putting the brakes on productivity.
Busting through app backlogs – tactical actions and longer-term strategies
Another common feature of financial services organizations in the process of transformation is ever-growing backlogs. These often arise due to the increase in demand from the business for more applications delivered in a shorter time-frame. The resulting pressure on developer teams means they struggle to keep up, and bottlenecks can occur at critical points. One of these is often at the security authorization stage, with AppSec teams typically brought in late in the cycle and given unrealistic deadlines in which to verify and resolve vulnerabilities.
Backlogs can grow to hundreds, even thousands, of apps causing inevitable frustration for line of business stakeholders awaiting delivery. Throwing resources at the problem doesn’t work, because AppSec skills are in limited supply and hard to recruit in the short term. Instead, Checkmarx proposes a two-pronged approach:
First, organizations accelerate their AppSec tactically by utilizing a managed service staffed by highly experienced experts who can apply their knowledge to the application backlog. They will push through remediations, while at the same time refining the business’s AppSec approach to better prioritize vulnerabilities and clear the noise out of scan alerts, so the most important vulnerabilities are fixed first, false positives are reduced, and the code base gets cleaner over time.
Second, the business works to build an AppSec mindset among its developer teams that will raise the quality of the code base gradually over time. This will help them hone more secure coding skills and address issues themselves early in the SDLC – long before they risk joining the backlog of non-authorized apps. Checkmarx Codebashing achieves this by delivering quick-hit lessons that developers can digest fast and implement straight away. With this approach, the business is investing in its own human capital and will benefit from a more skilled developer base that contributes to strengthening security posture – at the same time alleviating the pressure on AppSec teams.
Making the transition to cloud-native software development is a strategic necessity for modern banks if they are to compete in the new era where customer experience is paramount.
Learn more about the challenges and opportunities for financial services institutions making the transition to cloud-native application development in our eBook, Banking on the Cloud, produced in conjunction with our partner, AWS.