金融科技appsec的未来比您想象的要光明-优快云博客

The security industry has the unenviable task of educating and reminding organizations of the rising risks to their FinTech applications and customers’ data. They’re certainly not wrong — financial services incur the highest cybercrime costs of all industries. In general, companies spend an average of $13 million fighting cybercrime annually (for banks, that figure is more than $18 million). The costs are increasing, and so are the attacks.

安全行业的任务是教育和提醒组织其金融科技应用程序和客户数据的风险不断上升，这是令人羡慕的任务。他们当然没错-金融服务会招致所有行业最高的网络犯罪成本。一般而言，公司每年平均花费1300万美元用于打击网络犯罪(对于银行而言，这一数字超过1800万美元)。成本在增加，攻击也在增加。

However, while the landscape can seem bleak, these conversations often belie another aspect of the security industry — the fact that there are many reasons to be optimistic. This was especially apparent in the recent virtual roundtable that we hosted with some of the best AppSec minds in the FinTech space. The panel featured Erick Lee, Director of Security at Intuit; Jeremiah Kung, First Vice President and Global Head of Digital CyberSecurity at East West Bank; and Karthik Rangarajan, Security Lead at Robinhood. I had the pleasure of moderating the conversation.

但是，尽管形势似乎暗淡，但这些对话通常掩盖了安全行业的另一个方面-有很多理由值得乐观。在最近的虚拟圆桌会议上，这一点尤为明显，我们与金融科技领域的一些顶尖AppSec专家共同主持了这次圆桌会议。小组成员有Intuit安全总监Erick Lee；东西银行第一副总裁兼数字网络安全全球主管Jeremiah Kung；和Robinhood的安全主管Karthik Rangarajan。我很高兴主持这场谈话。

The group discussed trends, what they’re doing that’s working, and tips for fellow security leaders who are spearheading application security at their organizations. The upshot: For companies big and small, there’s a lot of exciting work and creative thinking happening around application security — and it’s not just relegated to AppSec teams (or more likely, AppSec individuals) but occurring across engineering.

该小组讨论了趋势，他们正在做的工作以及针对在其组织中带头应用程序安全的安全领导者的提示。结果：对于大型和小型公司而言，围绕应用程序安全性开展了许多激动人心的工作和富有创意的思考-它不仅降级到AppSec团队(或更可能是AppSec个人)，而且还涉及整个工程。

Here are three high-level takeaways from what proved to be a lively and enlightening discussion:

以下是三个生动的，富有启发性的讨论：

1. Hire software engineers into your AppSec teams. The panel was very supportive of the idea that engineering and security shouldn’t function as separate entities. Karthik noted that as a principle, he hires software engineers, instead of security engineers. The reasoning: They know how to operate at scale and create fixes, something essential for a company managing 1.5 million requests per second. Building security into your engineering team is especially vital for smaller and growing teams, who may not have the resources to hire a security engineer.

1.雇用软件工程师加入您的AppSec团队 。该小组非常支持工程和安全不应作为独立实体的观点。 Karthik指出，作为原则，他雇用软件工程师，而不是安全工程师。推理：他们知道如何进行大规模操作并创建修复程序，这对于每秒处理150万个请求的公司而言至关重要。对于规模较小，规模不断扩大的团队来说，将安全性融入工程团队中尤其重要，他们可能没有资源聘请安全工程师。

When engineers are engaged with security, you not only find scalable ways to solve problems but also accelerate the development process. Consider the example of a recent application release that was delayed because of a security concern. I would say that unless the issue is a show stopper, security shouldn’t delay a release. Instead, let the developers run fast and have security try to keep up — or run even faster (obviously, this is not the case with issues of compliance).

当工程师从事安全性工作时，您不仅可以找到可扩展的方法来解决问题，而且可以加快开发过程。考虑一个最近的应用程序发布示例，该示例由于安全性考虑而被延迟。我要说的是，除非问题出在节目制止者上，否则安全不应延迟发布。取而代之的是，让开发人员更快地运行，并让安全性与时俱进，甚至更快地运行(显然，合规性问题并非如此)。

Companies need to be able to release products and triage at scale. This is especially relevant in the FinTech space, in which a lot of the competition is about application features and capabilities. To that point, Erick highlighted how at Intuit, they’re trying to create paved roads for developers to ensure they can get “speed to benefit to customers” as quickly as possible.

公司需要能够大规模发布产品并进行分类。这在金融科技领域尤为重要，在该领域，许多竞争都与应用程序的功能和特性有关。到那时，Erick强调了Intuit如何为开发人员创造铺平道路，以确保他们能够尽快获得“使客户受益的速度”。

To do so, they leverage automated tools, such as scanners that evaluate GitHub code for potential issues. They’re also monitoring for security problems all through production, leaning on automation to help. The bottom line — security shouldn’t be a secondary process that stops development in its tracks; instead, find ways to make it complementary and seamlessly woven into the workflow.

为此，他们利用自动化工具，例如对GitHub代码进行潜在问题评估的扫描程序。他们还通过自动化监控整个生产过程中的安全问题。最重要的是-安全不应该是阻止其正常发展的辅助过程；相反，找到方法使其互补并无缝地融入工作流程。

2. Approach compliance as an engineering problem. Meeting governance and compliance requirements remains a significant undertaking for FinTech and financial services companies. One-third of global financial services companies spend more than 5% of their budget on compliance alone. One reason for the high costs — a lack of automation and solutions that scale.

2.将合规性视为工程问题。 对于金融科技和金融服务公司而言，满足治理和合规性要求仍然是一项重要的工作。三分之一的全球金融服务公司仅在合规方面就花费了预算的5％以上。成本高的原因之一-缺乏自动化和规模化的解决方案。

It’s not uncommon for companies to answer compliance questions via manual work and paper documentation. They rely on paper files, PDFs, spreadsheets, and email chains to ensure and verify compliance. As companies grow, however, it’s not only unreasonable, but it’s also unsustainable. There needs to be a better way.

公司通过手工工作和书面文件回答合规性问题并不少见。他们依靠纸质文件，PDF，电子表格和电子邮件链来确保和验证合规性。但是，随着公司的成长，这不仅不合理，而且也不可持续。需要有更好的方法。

Fortunately, as our panelists revealed, some of the best FinTech companies look at compliance and governance through an engineering lens. At Robinhood, Karthik sat down with compliance experts and asked them to describe the problem, so that his team could engineer a fix. They discussed the issues and the metrics required to prove effectiveness. His team then created an automated tool that addressed the issue. They know the compliance procedures are working if these metrics are working, Karthik says.

幸运的是，正如我们的座谈会成员透露的那样，一些最好的金融科技公司通过工程学的角度来研究合规性和治理。在Robinhood，Karthik与合规专家坐下来，请他们描述问题，以便他的团队可以设计修复程序。他们讨论了问题和证明有效性的指标。然后，他的团队创建了解决该问题的自动化工具。 Karthik说，如果这些指标有效，他们就会知道合规性程序正在起作用。

Jeremiah added that maintaining compliance within a global organization like East West Bank comes with the additional challenges of meeting regulatory expectations in multiple jurisdictions. However, there’s one commonality — the need to understand where your data is and how you’re keeping it safe. If you know the answers to those questions, Jeremiah says, then the task really becomes proving that the data is safe.

耶利米补充说，要在像东西银行这样的全球性组织中保持合规性，还需要满足多个司法管辖区的监管要求。但是，有一个共同点-需要了解您的数据在哪里以及如何确保其安全。耶利米说，如果您知道这些问题的答案，那么该任务就真的可以证明数据是安全的。

Compliance doesn’t need to be human-based, and frankly, for application security and development to remain sustainable — it can’t. We may not be able to automate all of the processes and reporting fully, but if we aim for 80% automated and 20% manual, we’ll be in a much better position.

坦率地说，合规性不需要以人为本，而是可以使应用程序安全性和开发保持可持续性，而事实并非如此。我们可能无法完全自动化所有流程并完全报告，但是如果我们希望80％的自动化和20％的手动，则将处于更好的位置。

3. Be proactive about security. This is a theme that carried through the entire conversation — FinTech engineering teams are thinking about security and compliance in various proactive ways. Erick noted that he encourages his teams to “lean into security and do right by the customer before the company is asked to do so.” To be sure, merely keeping pace with compliance regulations is a feat for many smaller or early-stage FinTech companies.

3.主动采取安全措施。 这是贯穿整个对话的主题-FinTech工程团队正在以各种主动方式考虑安全性和合规性。埃里克(Erick)指出，他鼓励他的团队“在要求公司这样做之前，先依靠安全并由客户做正确的事情”。可以肯定的是，对于许多规模较小或处于初期阶段的金融科技公司来说，仅遵守合规性法规是一项壮举。

However, our discussion went beyond engineering solutions to address even how engineering leaders are hiring with security in mind. And it’s not how you’d expect. The panelists agreed: Recruiting an AppSec developer is akin to finding a unicorn. A more proactive strategy is to grow your own unicorns. The panelists discussed hiring software developers and grooming them into security roles. The result is more fulfilling for both sides — your company can begin to build its AppSec expertise and resources, and employees can learn and take their career in a new direction that they may not have considered.

但是，我们的讨论超出了工程解决方案的范围，甚至解决了工程领导者在考虑安全性方面的招聘方式。这不是您所期望的。小组成员一致认为：招聘AppSec开发人员类似于寻找独角兽。更为主动的策略是发展自己的独角兽。小组成员讨论了聘用软件开发人员并将其修饰为安全角色的问题。结果使双方都更加满意–您的公司可以开始建立AppSec的专业知识和资源，员工可以学习并朝着他们未曾考虑过的新方向发展自己的职业。

Finally, proactive security also means looking for ways to ensure and accelerate approval for security features. One way to do so is to connect security advancements with compliance issues. For example, if you want to add two-factor authentication to your application to prevent customer data loss, find a compliance issue that may also be solved by another security layer. Product Managers may shoot down security features “for features’ sake” to save budget, but they won’t say no to compliance. This kind of strategic thinking ends up being a win-win for customers and the company.

最后，主动安全性还意味着寻找确保和加速安全功能批准的方法。一种方法是将安全性改进与合规性问题联系起来。例如，如果要向应用程序中添加两因素身份验证以防止客户数据丢失，请找到合规性问题，该问题也可以由另一个安全层解决。产品经理可以“为了功能而”拒绝安全功能以节省预算，但他们不会拒绝合规性。这种战略思维最终对客户和公司都是双赢的。

The success of FinTech applications depends on not just effective security protocols that protect customers and companies, but also innovative ideas that allow organizations to deploy security measures in efficient, economical, and scalable ways. If that’s the end game, then the panelists in our roundtable discussion reveal that our industry’s future is very bright.

FinTech应用程序的成功不仅取决于保护客户和公司的有效安全协议，还取决于使组织能够以有效，经济和可扩展的方式部署安全措施的创新思想。如果这是最终的结果，那么在我们的圆桌讨论中，与会嘉宾们会发现我们行业的未来非常光明。

Are you interested in learning more? Watch Data Theorem’s recent virtual roundtable, 3 Ways to Create Successful FinTech App Security Programs.

您有兴趣了解更多吗？观看Data Theorem最近的虚拟圆桌会议，这是创建成功的FinTech App安全程序的三种方法。