During FS-ISAC last week, we had our ears to the ground, chatting with security folks about their concerns, challenges and hopes for application security testing and have set out to distill some of our observations and data to discuss the state of application security in the financial sector.

We all know that banks are a financial record goldmine for a data breach…

The 2016 Verizon Data Breach Investigations Report found that outside of the public sector (47,237 breach incidents) and the entertainment industry (2,707 breach incidents), the financial industry racked up more than any other single industry in the report – a whopping 1,368 breach incidents in 2015.

And it makes sense – banks and financial institutions hold some of the largest collections of sensitive, private and valuable information in the world. Their records are useful for conducting identity theft and fraud, and these records have a long shelf life, and no financial system or application is safe from attack. 

The risk of data loss coupled with the real threat of an attack are driving U.S. financial institutions to be the largest and fastest-growing private-sector cybersecurity market, with a cumulative 2016-2020 forecast destined to exceed $68 billion. What is it spent on? From data collected in a recent survey we conducted, we found that financial services organizations are generally practicing fairly comprehensive AppSec practices:


Application Security Practices Implemented by Financial Services Organizations:

Financial Sector Application Security Testing Methods


However, as risk in the financial sector increases with more complex web and mobile applications, traditional app testing methods struggle to keep up and attacks are still on the rise.

The same report notes a significant rise in web application attacks across the board, and specifically for financial services organizations – which rose to 82% of all web app attacks, up from 31% in 2015.

Bug Bounty Trends in the Financial Sector 

In the past three years, we have seen a 400% increase of crowdsourced application security programs started by financial institutions, and the industry is our third largest industry represented. 

These organizations have unique attributes and trends, as will be reported in our upcoming financial services case study. In this report, we will report and discuss some key points:

  • The average payout per bug in financial services organization is $323 which is higher than the average payout per bug in all programs we’ve run.
  • Roughly 60% of bounty programs run by financial sector institutions were private.


Financial Services Bounty Programs by Type

Financial Sector Bug Bounty Types


This may be preferred for a wide range of reasons including access to a private crowd of researchers, the ability to utilize more controlled testing environments, and to test applications with sensitive data.

  • When surveyed, our current customers in the finance sector reported that the most valuable aspects of crowdsourced security testing were creative testing methods, skill sets and expertise of the crowd and volume of bug hunters testing applications 24/7.

One of our financial sector customers, Western Union, kicked off their private bounty program about two years ago, and have since taken their program public. David Levin, their Director of Information Security and End User Technology, discusses the value of crowdsourced security testing and how a complex organization such as Western Union can harness the volume, diversity and quality of our crowd…

For more information on these trends and results, as well as data on financial sector companies who aren’t running crowdsourced AppSec testing programs, sign up to receive our upcoming Financial Services case study:

Sources Referenced in this Post:
  1. 2016 Verizon Data Breach Investigation Report 
  2. U.S. Financial Services: Cybersecurity Systems & Services Market – 2016-2020
  3. Verizon 2015 Data Breach Investigations Report