When it comes to developing applications that handle such sensitive information, making sure security is baked into every step of the SDLC is crucial.
Banking has gone digital. Nearly every major bank offers both an online portal as well as a mobile app, and people seem to prefer it that way. A recent PwC survey found that 46% of consumers only use online banking, a massive jump from their previous survey in 2012, in which only 27% used online banking exclusively.
For banks and other financial institutions, offering an online app that allows either online or mobile banking access is now a necessity when looking at those numbers. Users crave the convenience that comes with banking on the go, and while the advantages that come with being able to perform personal banking on your mobile or computer is undeniable, another question still persists: Just how secure are these online banking apps?
Research that was released at the end of 2017 may offer an answer to that question. The research, carried out at the University of Birmingham, found security issues in mobile banking apps that could leave millions of their users open to attacks. The main issue they found pertains to a flaw in certificate pinning, which meant that tests were failing to detect “a serious vulnerability that could let attackers take control of a victim’s online banking,” The Register said.
It’s security issues like this that show just how important it is to cover all your bases when developing digital banking apps. While digital banking can help foster new connections and offer new and innovative services, thus bringing more gains for financial institutions, digital banking also carries plenty of risk.
7 Critical Steps for Banking App Developers
While consumers carry a burden of security that includes using secure wifi to access their banking app, locking their devices when not using them, using a unique password, and not using public computers to access their accounts, the main burden of ensuring customers’ security is on the banks. Or rather, the developers and teams working on the applications.
Developing an SDLC, or software development lifecycle, is vital to the continued development of secure applications. The SDLC will put in place a strategy for making sure security is built into the product, without slowing the development process down. Here are seven critical steps in the SDLC that developers and security teams should work together on to ensure the release of a secure online or mobile banking app.
1. Establish Security Requirements
The first step is to understand the security requirements of the banking app. Because of the sensitive nature of banking apps, it is important to assign at least one member of the security team to work with the build team – and this partnership needs to begin before development does.
During this part of the SDLC, development and security should identify the key security risks within the software, including what standards (both organizational and legal/regulatory) the software must follow. Stakeholders from both development and security teams should be identified to make sure communication is clear from the outset, and any gaps in the process should be noted. Only once security requirements have been established and agreed upon by all parties can development begin.