Security challenges in the financial sector⎪Max Imbiel (CISO, Bitpanda)

Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.

With his extensive experience in the security of the financial sector, I had the chance to learn from Max about the unique challenges of building secure financial applications and what the explosion of decentralized finance might bring. Dive right in!

Max's background

Max is the driving force behind “Ahead Security,” an agency specializing in vCISO activities, and currently serves as the CISO at BitPanda, an online crypto trading platform. 

Max’s career began in IT and software development and took him through various industries, with the last one being finance. His notable leadership roles include Deputy CISO at UniCredit Bank and, most recently, Deputy Group CISO at N26. Max is also a frequent keynote speaker and an ambassador for Mission TOP 5, a community organization that aims to propel Germany into the top 5 digital nations in Europe by 2025.

Watch the full interview below:

The evolution of financial security: Lessons from industry experts

The financial sector, historically the most targeted by cyber threats, has seen a notable shift in how security is approached, particularly influenced by the COVID-19 pandemic which accelerated the digital transformation and reliance on third-party service providers.

The shift to outsourced development and its implications

In recent years, established banks have increasingly outsourced their software development and services. This trend, accelerated by the pandemic, has led to a dependency on third-party service providers. However, this shift has not always been accompanied by stringent security measures, resulting in significant data breaches.

A major data breach in Germany highlighted the risks associated with outsourcing. A single company providing services to multiple banks was breached, compromising the data of nearly all its clients. This incident underscored the need for robust security measures when partnering with service providers.

To mitigate such risks, it is crucial to focus on governance, risk, and compliance (GRC) aspects of security. Meeting regulatory requirements is essential, but going beyond compliance to ensure comprehensive security is even more critical. This includes securing the supply chain and ensuring that service providers adhere to stringent security standards.

The upcoming Cyber Resilience Act (CRA) emphasizes the importance of security by design and security by default for all service providers. This legislation aims to ensure that security is integrated into the development process from the outset, rather than being an afterthought.

"The Cyber Resilience Act takes very serious for all service providers to have security by design security by default."

The challenge of modernizing legacy systems

For traditional banks, the transition to digital-first solutions presents unique challenges. Their systems, often described as 'jigsaw puzzles', need to integrate with various backend systems, some of which may be outdated. This integration complicates security and user experience, making it difficult to provide seamless digital services. Fintech companies like N26, which built their IT infrastructure from the ground up, do not face these legacy issues, allowing them to prioritize security and user experience more effectively.

With traditional banks and fintech companies adopting different approaches to security, understanding the nuances between these two types of institutions can provide valuable insights:

Integration of Security:

• Traditional Banks: Often face challenges integrating security into legacy systems, which can be complex and costly.
• Fintech Companies: Benefit from building security into their systems from the ground up, making it easier to implement modern security practices.

Regulatory Compliance:

• Traditional Banks: Have established processes for regulatory compliance but may struggle with the agility required to adapt to new regulations.
• Fintech Companies: Must navigate a complex regulatory landscape but can be more agile in adapting to new requirements.

User Experience:

• Traditional Banks: May struggle to balance security with user-friendly design due to the complexity of their systems.
• Fintech Companies: Prioritize user experience, often resulting in more intuitive and user-friendly applications.

Risk Management:

• Traditional Banks: Rely heavily on third-party risk management due to extensive outsourcing.
• Fintech Companies: Often manage risk internally, leveraging modern technologies and agile practices.

Key security measures

Max offers several measures to enhance cybersecurity in the finance industry. Here are the key steps he recommends:

1. Secure the Supply Chain

Max emphasizes the importance of securing the supply chain. He states, "We need to take care of our own developments as well as the developments of a service provider that we also." Ensuring that both internal and external developments meet security requirements is crucial.

2. Implement Security by Design

Max highlights the need for security by design. He mentions, "The Cyber Resilience Act takes very serious for all service providers to have security by design security by default." Integrating security measures from the beginning of the development process can prevent vulnerabilities.

3. Conduct Continuous Testing

Continuous testing of environments and products is essential. Max advises, "Do we do continuous testing of our environments, of our products?" Regular testing helps identify and mitigate potential security risks.

4. Adopt a Software Bill of Materials

Max suggests implementing a software bill of materials for transparency. He explains, "With that transparent view on what is actually being used on the product side, right? And what is all in there? I think this really helps in protecting that way, way more." Knowing the components of your software can aid in identifying vulnerabilities.

5. Perform Threat Modeling

Threat modeling is another critical measure. Max asks, "Do we all do a good threat modeling?" Identifying potential threats and vulnerabilities early in the development process can help in designing effective security measures.

6. Implement a Secure Development Lifecycle

Max stresses the importance of a secure development lifecycle. He states, "Do we have a secure development life cycle implemented?" Ensuring that security is integrated at every stage of the development process can significantly enhance cybersecurity.

7. Conduct Regular Risk Assessments

Regular risk assessments are vital for maintaining security. Max mentions, "Only with proper risk management, the banks can really determine if they want to launch a new, a certain new product, right? Or if they want to jump into a new market." Understanding and managing risks can help in making informed decisions.

8. Train Employees

Max underscores the importance of training employees. He says, "A good, quick win if you don't do something like that." Educating employees about security best practices can make them the first line of defense against cyber threats.

9. Ensure Compliance with Regulatory Requirements

Compliance with regulatory requirements is non-negotiable. Max notes, "We still meet the requirements that we need to meet due to regulatory requirements." Adhering to regulations can help in avoiding legal issues and enhancing overall security.

10. Foster Trust in Partnerships

Trust is crucial when partnering with external service providers. Max states, "Trust is, I think, the perfect word here." Ensuring that partners meet security standards and can provide evidence of their security practices is essential.

Security Implications of Different Coding Languages

Max also provides valuable insights into the secure development lifecycle and the security implications of different coding languages in financial application development.

Traditional Languages:

• Java and C++:
  • Strengths: Widely used and well-understood, with extensive libraries and frameworks.
  • Weaknesses: Prone to memory management issues and vulnerabilities such as buffer overflows and memory leaks.
  • Security Measures: Requires robust security practices, including manual memory management and extensive testing.

Modern Languages:

• Rust and Go:
  • Strengths: Designed with security in mind, offering features like memory safety and concurrency support.
  • Weaknesses: Newer languages with a smaller pool of experienced developers.
  • Security Measures: Built-in safety features reduce the risk of common vulnerabilities, making them more secure by default.

Max's Assessment:

Max emphasizes the importance of using memory-safe languages like Rust and Go in financial application development. These languages inherently reduce the risk of vulnerabilities related to memory management, which are common in older languages like Java and C++. By adopting modern languages, financial institutions can enhance the security of their applications and reduce the likelihood of successful attacks.

The future of Decentralized Finance

Max believes that DeFi is here to stay and will continue to grow in significance. He states, "DeFi is something that will never go away anymore. So we all have to figure out how to probably do DeFi right." Companies that excel in DeFi are those that have positioned themselves as significant market players, aiming for substantial growth and offering improved financial solutions to a broad audience. These companies often seek regulatory licenses to demonstrate their commitment.

Max highlights that some companies are already excelling in the DeFi space by prioritizing security and regulatory compliance. He notes, "There are definitely a couple of companies out there who are doing this already quite well because they have also considered themselves to be a player on the market that wants to grow substantially and provide their offerings to a lot of people out there so that they have a better and easier way to improve their finances."

Regulatory compliance and security

Max emphasizes the importance of regulatory compliance in proving a company's commitment to security. He explains, "Those companies strive for proving their ambitions by acquiring certain licenses from regulators that prove that they do actually take care of these things and that they have a value in security." This approach not only builds trust with users but also ensures long-term sustainability and resilience.

Due diligence for investors

For individuals looking to invest in DeFi, Max advises conducting thorough due diligence. He suggests, "If you want to invest yourself into DeFi, this is kind of like the due diligence that you as a person need to do yourself to really figure out who would be the right partner for me to invest my money in." He stresses the importance of choosing partners who have demonstrated their commitment to security and regulatory compliance.

The role of certifications

Max points out that certifications can be a key indicator of a company's security posture. He states, "If you work together with someone who has proven that they have acquired certain licenses in countries like in Germany, if you have a Cryptocurrency holding license from the German regulator, that already shows that you have actually quite a level of sophistication, resilience, and how you do risk management."

The future of digital currencies

Max is optimistic about the future of digital currencies and their impact on the financial sector. He predicts, "Certain trends that will definitely emerge over the next couple of years are also the trend of having a definitely a digital currency in various countries. The digital Euro is something that is actively being worked on just like the digital US dollar." He believes that these developments will further integrate DeFi into mainstream financial systems.

Recommendations for newbies in the security field

Entering the field of security can be daunting, but Max offers valuable advice for those just starting out. Here are his key recommendations:

Be open-minded

Max emphasizes the importance of being open-minded when entering the security field. He states, "Be completely open-minded to what you want to jump into because our field is so diverse and we have so many different things to look at." This openness allows newcomers to explore various areas within security and find their niche.

Focus on a specific area

Max advises focusing on a specific area of security to start with. He suggests, "Consider something as a start where you can focus on and not just trying to grasp your head around everything." Whether it's application security, infrastructure security, product security, or network security, honing in on one area can provide a solid foundation.

Leverage your background

For those with a technical background, Max recommends leveraging that experience. He notes, "If you're technical, there are stuff like application security, infrastructure security, product security, network security." Utilizing existing skills can make the transition into security smoother and more effective.

Seek junior positions

Max encourages newcomers to apply for junior positions, even if they lack formal security experience. He advises, "Look out for some kind of junior positions that are offered by companies and just apply, even if you don't have maybe like a certificate or something like that yet." Demonstrating passion and a willingness to learn can be more valuable than formal qualifications.

Highlight your ambition

Max values ambition and attitude over existing skills. He states, "Show why you wanna still do it. Very often, I would choose you way more than the next guy that is saying I've been doing this for years, but also I have no ambition." Highlighting your enthusiasm and commitment can set you apart from other candidates.

Continuous learning

Max underscores the importance of continuous learning in the security field. He suggests, "Develop yourself into the area that you deem yourself fit into." Whether through formal education, certifications, or self-study, ongoing learning is crucial to staying current in the ever-evolving field of security.

Conclusion

The financial sector is undergoing significant changes with the rise of DeFi and digital currencies. Companies must prioritize security and regulatory compliance. By adopting secure development practices and building trust with investors, financial institutions can ensure their long-term success.

The financial sector's journey towards robust cybersecurity is ongoing and multifaceted. By learning from past breaches, prioritizing comprehensive risk management, and embracing regulatory frameworks, financial institutions can protect themselves and their customers from the threats of the digital age. As the sector continues to innovate, the focus on security must remain at the forefront, ensuring that growth and expansion do not come at the expense of safety and trust.

Recommended reading:

1. Project Zero Trust by George Finney - A comprehensive guide to implementing zero trust principles in an organization.
2. Social Engineering: The Science of Human Hacking by Christopher Hadnagy - An insightful book on the tactics used in social engineering and how to defend against them.
3. Blackout by Marc Elsberg - A fictional yet realistic portrayal of the societal impact of a massive energy blackout, highlighting the importance of cybersecurity in critical infrastructure.

💡Want to learn more? Discover the following articles:

• Lack of effective DAST tools⎥Aleksandr Krasnov (Meta, Thinkific, Dropbox)
• The art and science of product security: A deep dive with Jacob Salassi
• Adversarial machine learning: what is it and are we ready? ⎜Anmol Agarwal
• Is Gen AI your new AppSec weapon?