Data Security

How should financial institutions reinvent security in a web tech era?

Mazy Dar

CEO & Co-Founder, OpenFin

As web technologies dominate the landscape, financial institutions are confronted with a crucial question: how can they upgrade their security game to fend off new threats?

  1. Financial institutions are facing new security challenges that require them to rethink their approach to safeguarding sensitive data and user information.
  2. While the rise of web technologies has brought significant benefits, increased interaction with external apps and content also introduces potential security vulnerabilities that cannot be ignored.
  3. Embracing a new security paradigm, inspired by industry leaders like Google, financial firms must prioritise regular upgrades and adopt a zero-trust model to protect against emerging threats and maintain a secure web environment.

To protect themselves in a world of web technologies, financial institutions must reimagine their approach to security.

Once upon a time, building secure software for the financial sector had a lot in common with building a castle: high walls and a wide moat were of the utmost importance. By isolating their technology from outside threats and performing only bespoke integrations with trusted third parties, financial institutions could avoid critical security vulnerabilities.

The rise of web technologies for application development has transformed this calculus. Financial institutions can realize numerous benefits from building with web technologies, from their versatility across platforms and devices to their reduced maintenance costs to their robust open-source communities. But there’s a flipside: this increased interaction with other apps and content creates new security challenges that financial institutions must recognize and account for.

For example, picture a development team relying on a given open-source library to increase productivity in building a new app. If the library contains any malicious code, that means the app will too. If undetected, the vulnerability will make its way onto the desktops of internal users and/or clients, putting sensitive information at risk and inviting severe financial and reputational loss. In this case, the same tools that fueled a better developer experience also created an additional point of security failure.

All this has left financial institutions at an inflection point. As industry standards for application development continue to evolve, firms must embrace security protocols that, rather than isolate them from all the innovations occurring in web environments, help them keep up with the pace of bug detection and reconciliation. Let’s explore how.

The new approach to web security

Chromium, the open-source codebase that powers Chrome, Microsoft Edge and several other web browsers, is a perfect example of what it means to prioritize web security in today’s dynamic environment. Financial institutions that fail to follow this model are opening themselves up to potentially severe consequences.

A new version of Chromium is released approximately every four weeks, with each one solving for an average of 20 Common Vulnerabilities and Exposures (CVEs); in the last year alone, the new versions have addressed 270 CVEs. These enhancements present tremendous security benefits, but many financial institutions, accustomed to lengthy deployment and upgrade cycles, do not consume them all – they upgrade at more of a yearly cadence. Do the math and you’re looking at a significant number of vulnerabilities left unaddressed for months at a time. Once the disclosure waiting period passes and the list of completed security upgrades for each month are published, hackers can use that knowledge to target firms that failed to adjust.

The importance of staying up to date has been magnified by changes in how security issues are disclosed. Project Zero – a team of security analysts focused on identifying zero-day vulnerabilities (the newest and most significant vulnerabilities) – is a good illustration. Project Zero performs vulnerability research on popular software like mobile operating systems, web browsers and open-source libraries. If Project Zero notifies a bank or technology vendor that its software is susceptible to a hack or exploit, the firm has a certain number of days (depending on the severity) to rectify the issue; once that period passes, the bug is made publicly visible. If the firm has addressed the vulnerability, all’s well that ends well, but if the firm failed to release a patch, it receives negative attention and its users are left vulnerable to hackers, who now have a blueprint to attack. In this way, watchdogs like Project Zero are providing financial institutions with a powerful incentive to rapidly respond to identified issues and take an active role in web security.

All of this reflects a new approach to ensuring web security. Security by obscurity, with firms retreating into their own silos and providers ignoring vulnerabilities that have yet to be discovered by hackers, is untenable. Instead, there is an assumption that every entity will leave no stone unturned on security – and that clear disclosures of the issues discovered, and the steps taken to address them makes the entire ecosystem stronger. This is much closer to a zero-trust model, in which all third-party code is assumed to be potentially malicious and steps to protect data and users are an absolute prerequisite.

Embrace efficiencies

To navigate this shifting security landscape, financial institutions must actively pursue new efficiencies. Even firms that are aware of the growing challenges will be hard-pressed to accommodate monthly upgrade cycles, let alone the emergency patches required when zero-day vulnerabilities are identified – unless, that is, they change their approach.

Chromium powers not only some of the world’s leading web browsers, but also leading desktop productivity platforms like OpenFin. We work tirelessly to remain co-stable with Chromium, so when Chromium is upgraded, our clients can realize the benefits – instantly. They’re assured that their data is protected, and they’re never left to scramble to resolve unforeseen issues. By outsourcing this crucial infrastructural work, financial institutions can focus on innovation and differentiation.

Adding additional security layers to the tech stack is another way that financial institutions can protect themselves. By running their software within an ecosystem of other trusted apps, firms can benefit from the openness of web technologies while retaining positive control over data sharing, access and the like. This is another priority made easier by collaborating with partners that have established industry footprints.

All of this may sound daunting, but it’s really a natural process. Web technologies have fueled vast advances in developer productivity, workflow efficiency and industry standards. Now it’s time for security protocols to advance in kind. Chromium’s tremendous investment in frequent security upgrades is making the entire industry safer, as well as providing firms a unique opportunity to do their part. Financial institutions would do well to think critically about their apps’ security and identify the best way forward – and then act on it.

OpenFin and LSEG

London Stock Exchange Group (LSEG) has selected OpenFin’s technology for its flagship LSEG Workspace platform. The partnership will leverage OpenFin’s secure zero-install delivery model and container technology to simplify distribution of LSEG’s next-generation data and analytics to customer desktops.

“We’re focused on openness, accessibility, and giving our customers flexibility to build the seamless experiences that help them enhance their productivity… OpenFin presents us a scalable way of meeting our customers at the location of their choice.” – Nej D’Jelal, LSEG and OpenFin: Igniting Innovation Webinar.

Igniting Innovation – Click here to watch our recent discussion with Adam Toms, CEO Europe – OpenFin, and LSEG’s Group Head of Workspace Platform, Nej D’Jelal.

Stay updated

Subscribe to an email recap from:

Legal Disclaimer

Republication or redistribution of LSE Group content is prohibited without our prior written consent. 

The content of this publication is for informational purposes only and has no legal effect, does not form part of any contract, does not, and does not seek to constitute advice of any nature and no reliance should be placed upon statements contained herein. Whilst reasonable efforts have been taken to ensure that the contents of this publication are accurate and reliable, LSE Group does not guarantee that this document is free from errors or omissions; therefore, you may not rely upon the content of this document under any circumstances and you should seek your own independent legal, investment, tax and other advice. Neither We nor our affiliates shall be liable for any errors, inaccuracies or delays in the publication or any other content, or for any actions taken by you in reliance thereon.

Copyright © 2023 London Stock Exchange Group. All rights reserved.