Key to avoiding and combatting these application problems is continuing education, asserts Curtis. "Software engineering is a relatively new discipline," he says. "Computer science departments don't teach the engineering of how to apply computer science to the applications that run the banks. Once they get out into the real world there's an awful lot to learn."
At the very least, warns Curtis, all developers should be aware of the common known weaknesses that hackers tend to exploit and avoid them when building applications -- which is something he says isn't happening enough now. Banks can point their developers to the Common Weakness Enumeration website, a free resource that identifies these known weakness, and do upfront inspections of codes against a checklist of them, he notes. Beyond testing and analysis of code design, Curtis says that bank IT departments also must do a static analysis that looks of an entire structure of an application as well as a dynamic analysis that runs the code to look for performance issues.
As banks increasingly innovate in the mobile channel, taking the proper steps to ensure the structural soundness of applications becomes more important than ever, says Curtis. "Security will raise its head in new ways that are more taxing on the bank because of all the different ways hackers can reach them," he says. He acknowledges that mobile applications could be just as secure as other apps, saying, "I don't think we're there today, but we can get there."