Financial Institutions’ Approach to OWASP Top 10 Security in Web Applications
Security operations team monitoring financial web app threats in data center
Financial institutions run dedicated security operations centers that monitor web apps for attack patterns around the clock.
Why OWASP Top 10 Matters for Banks in 2026
The OWASP Top 10 is the de facto standard for web app security risk awareness, maintained by the nonprofit OWASP Foundation. As of 2026, the most current release is OWASP Top 10:2025, which identifies the ten most critical security risks facing web apps globally. For the financial sector, these risks carry outsized consequences. A single SQL injection vulnerability in a banking portal can expose account balances, transaction histories, and personally identifiable information (PII) for millions of customers.
Financial institutions operate under overlapping regulatory requirements from bodies such as the SEC, Federal Reserve, FCA, and Monetary Authority of Singapore. The framework provides a structured approach that maps directly to many of these compliance obligations. The OWASP Top 10:2025 for Financial Services implementation guide notes that banks, insurance companies, payment processors, and fintech startups can use the framework to satisfy requirements from multiple regulators simultaneously, reducing audit fatigue and compliance overhead.
Both JP Morgan and Goldman Sachs have publicly committed to embedding OWASP-aligned security controls into their development lifecycles. While neither bank publishes a detailed "how we implement OWASP" playbook, their public disclosures, bug bounty programs, and security whitepapers reveal consistent patterns. The banks approach the framework not as a checklist to be ticked once, but as a continuous discipline woven into software design, coding standards, testing pipelines, and incident response. For financial institutions operating across borders, understanding how these controls apply to cross-border data protection and compliance is also critical, as regulatory requirements vary by jurisdiction.
JP Morgan’s OWASP Implementation Strategy
JP Morgan operates one of the largest technology budgets in the banking industry. That investment funds a security architecture that treats the OWASP Top 10 as a minimum baseline rather than an aspirational target.
Secure development lifecycle integration. JP Morgan embeds OWASP controls across multiple phases of its software development lifecycle. During the requirements phase, threat modeling sessions use OWASP risk categories to identify likely attack vectors for each application. During coding, static application security testing (SAST) tools scan for injection flaws, broken access control patterns, and cryptographic misconfigurations before code ever reaches the repository. The bank runs these scans as gating checks in its CI/CD pipelines, meaning a pull request that introduces a classified vulnerability cannot be merged without remediation.
Automated vulnerability scanning at scale. JP Morgan deploys automated web application scanners, including the open-source OWASP ZAP platform, across its portfolio of customer-facing web apps. These scans target all ten OWASP categories, with particular emphasis on A01 (Broken Access Control), A03 (Injection), and A06 (Vulnerable and Outdated Components). The bank’s security team configures custom scan policies that reflect the specific risk profile of financial applications, such as checking for insecure direct object references (IDOR) in account number parameters and testing for mass assignment vulnerabilities in transaction APIs.
Developer training and awareness. JP Morgan requires all developers working on customer-facing web apps to complete annual training on the OWASP framework. The curriculum covers real-world attack scenarios drawn from the financial sector, including case studies of actual breaches where these vulnerability classes were exploited. Developers learn to recognize each risk category in code reviews and to apply appropriate mitigation patterns, such as parameterized queries for SQL injection prevention and server-side authorization checks for access control.
Third-party risk management. JP Morgan extends OWASP requirements to its third-party vendors and software suppliers. Any external application that handles customer data must pass a security assessment that includes OWASP-aligned penetration testing. The bank’s vendor risk framework, detailed in its public disclosures, requires evidence of SAST/DAST scanning, secure coding standards, and vulnerability remediation SLAs that align with these risk classifications. The bank’s responsible disclosure program explicitly references OWASP vulnerability categories for researchers reporting findings.
JP Morgan and Goldman Sachs both require developers to complete OWASP training annually, with emphasis on financial sector attack scenarios.
Goldman Sachs’ Approach to OWASP Controls
Goldman Sachs has built its application security program around what it calls "security by design," with the OWASP Top 10 working as an organizing framework for its secure coding standards. The bank’s approach is documented in part through its bug bounty program on HackerOne, which engages the hacker community to find and report vulnerabilities. Goldman Sachs also publishes a Client Security Statement that notes its testing methodology focuses on dynamic testing methods and is based on the OWASP Top 10.
Secure coding standards with OWASP mapping. Goldman Sachs maintains a set of secure coding standards that map every critical security control to a specific OWASP category. Input validation requirements target A03 (Injection). Authentication controls map to A07 (Identification and Authentication Failures). Logging requirements address A09 (Security Logging and Monitoring Failures). This mapping ensures that developers understand not just what to implement, but why it matters in the context of industry-recognized risk categories.
Continuous DAST and penetration testing. The bank runs dynamic application security testing (DAST) tools continuously against its production web apps, with scan configurations tuned to detect OWASP-classified vulnerabilities. Goldman Sachs also engages third-party penetration testing firms to conduct annual assessments aligned to the framework. The bug bounty program supplements these efforts by inviting external researchers to find and report vulnerabilities, with bounties scaled to the severity of the finding.
Security operations center (SOC) integration. Goldman Sachs routes OWASP-related alerts through its SOC, where analysts monitor for exploitation attempts targeting categories like A01 (Broken Access Control) and A03 (Injection). The bank’s SIEM platforms ingest web application firewall logs, DAST scan results, and API gateway telemetry to detect patterns consistent with classified attacks. When the SOC identifies a potential exploitation attempt, the incident response team can correlate the finding against the bank’s control inventory to determine whether the relevant mitigation was in place.
Culture of security awareness. The bank promotes a security-first culture through ongoing training programs that reference the OWASP framework. As noted in Goldman Sachs’ public security disclosures, the firm invests in continuous education for developers, operations staff, and third-party contractors. The training emphasizes that OWASP compliance is not a one-time certification but an ongoing practice that must evolve as the threat landscape changes.
Side-by-Side: How Two Banks Compare
| Security Practice | JP Morgan | Goldman Sachs |
|---|---|---|
| SDLC integration | OWASP controls at requirements, design, coding, and testing phases with CI/CD gating | OWASP-mapped secure coding standards with automated code review enforcement |
| SAST/DAST tooling | OWASP ZAP and commercial SAST tools configured for financial risk profiles | Continuous DAST scanning with custom OWASP-aligned scan policies |
| Bug bounty program | Private program with OWASP-based severity classification | HackerOne-hosted program; methodology based on OWASP Top 10 per security statement |
| Developer training | Annual mandatory OWASP training with financial-sector case studies | Ongoing OWASP-aligned security awareness programs for all technical staff |
| Third-party risk | OWASP-based penetration testing required for vendors handling customer data | Third-party assessments mapped to OWASP categories |
| SOC monitoring | OWASP attack pattern detection via WAF and SIEM correlation | OWASP-classified alerts routed through dedicated SOC with incident playbooks |
| Regulatory mapping | OWASP controls mapped to FFIEC, SOX, and GDPR requirements | OWASP controls mapped to SEC, Fed, and international regulatory frameworks |
Challenges Financial Institutions Face with OWASP Adoption
Even with the resources of JP Morgan and Goldman Sachs, implementing OWASP defenses at scale presents real challenges. Understanding these limitations is critical for any financial sector security team planning its own adoption strategy.
Legacy system complexity. Both banks operate web applications built on infrastructure that predates modern security frameworks. Older Java-based trading platforms and mainframe-integrated banking portals may lack support for contemporary security controls like context-aware access policies or modern cryptographic libraries. Retrofitting controls onto legacy systems requires significant refactoring, and in some cases, the cost of remediation exceeds the cost of replacement.
Velocity versus security tension. Agile development cycles and continuous deployment practices create tension between shipping features and enforcing security gates. JP Morgan and Goldman Sachs both report that developers sometimes resist scanning gates that block deployments. The banks have addressed this by integrating security scans directly into developer workflows rather than adding them as post-commit review steps, but friction remains measurable.
Supply chain risk. Financial institutions rely on hundreds of third-party libraries, APIs, and SaaS integrations. Each dependency introduces potential OWASP-classified vulnerabilities, particularly around vulnerable and outdated components. The Log4Shell vulnerability (CVE-2021-44228) showed how a single vulnerable component buried deep in a dependency tree can compromise an entire application. Both banks run software composition analysis (SCA) tools to inventory dependencies and flag known CVEs, but the volume of alerts creates triage challenges.
False positives in automated scanning. Automated SAST and DAST tools tuned to OWASP categories generate significant false positive rates, particularly for A01 (Broken Access Control) and A04 (Insecure Design). Security teams at both banks report spending substantial effort validating scan results before escalating them to development teams. Without proper tuning and contextual analysis, false positives erode developer trust in the scanning pipeline.
OWASP as baseline, not ceiling. The OWASP Foundation itself describes the Top 10 as an "awareness document" rather than a comprehensive security standard. Financial institutions that treat OWASP as a complete security program leave gaps in areas like API-specific threats, supply chain integrity, and zero-day attack surface. Both JP Morgan and Goldman Sachs supplement the framework with additional standards, including the OWASP Application Security Verification Standard (ASVS) and the NIST Cybersecurity Framework.
Actionable Checklist for Financial Sector Security Teams
Based on practices observed at JP Morgan and Goldman Sachs, here is a checklist that any financial institution can use to audit its own OWASP implementation:
1. Map OWASP categories to your regulatory obligations. Create a cross-reference matrix that shows which categories satisfy specific requirements from your primary regulators (SEC, FFIEC, FCA, MAS, etc.). This reduces duplicate audit work and ensures compliance coverage.
2. Integrate SAST and DAST into CI/CD pipelines as gating checks. Configure your scanning tools with custom policies that reflect financial sector risk profiles. Flag A01 (Broken Access Control) and A03 (Injection) vulnerabilities as blocking issues that prevent deployment.
3. Run OWASP-aligned penetration tests annually. Engage third-party testers who specifically scope their assessments against the OWASP Top 10. Require remediation of all high-severity findings before the next test cycle.
4. Implement a bug bounty program with severity classification. Public or private bug bounty programs give external researchers a structured channel to report vulnerabilities. Use the OWASP risk rating methodology to determine bounty payouts.
5. Train every developer on the OWASP Top 10 annually. Use financial-sector-specific examples in training materials. Test developers on their ability to identify categories in code reviews and apply correct mitigations.
6. Run software composition analysis on all dependencies. Inventory every open-source library, framework, and API integration. Configure alerts for CVEs that map to OWASP categories.
7. Configure SOC monitoring for OWASP attack patterns. Build correlation rules in your SIEM that detect exploitation attempts against each category. Create incident response playbooks specific to each risk type.
8. Extend OWASP requirements to third-party vendors. Include OWASP-aligned security assessments in your vendor risk management program. Require evidence of SAST/DAST scanning and vulnerability remediation SLAs from all vendors handling customer data.
Key Takeaways:
- JP Morgan and Goldman Sachs both embed OWASP controls into SDLC phases, CI/CD pipelines, and developer training programs, treating the framework as a minimum baseline rather than a checklist.
- Automated scanning tools configured for financial risk profiles (with custom policies for A01, A03, and A06) are central to both banks’ strategies, supplemented by bug bounty programs and third-party penetration testing.
- Legacy system complexity, false positive volumes, and supply chain risk remain significant challenges even for the largest financial institutions.
- The OWASP Top 10 should be supplemented with additional frameworks (ASVS, NIST CSF) to cover API-specific threats, supply chain integrity, and zero-day attack surface.
- Security teams can audit their own programs against the eight-point checklist above, which maps directly to practices validated at JP Morgan and Goldman Sachs.
Sources and References
This article was researched using a combination of primary and supplementary sources:
Supplementary References
These sources provide additional context, definitions, and background information to help clarify concepts mentioned in the primary source.
- OWASP Top 10:2025 for Financial Services – Implementation Guide …
- Establishing a Modern Application Security Program – OWASP Top 10:2025
- OWASP Top 10:2025
- OWASP Top Ten Web Application Security Risks | OWASP Foundation
- The Real-World Attacks Behind OWASP Agentic AI Top 10
- Managing agentic AI risk: Lessons from the OWASP Top 10
- Is it time to rethink the OWASP Top 10?
- OWASP Top 10 Vulnerabilities Explained with Examples (2025)
- OWASP Top 10:2025 , Complete Penetration Testing Checklist – GitHub
- Goldman Sachs vs. Morgan Stanley: Which Stock Has More Upside?
- OWASP Foundation, the Open Source Foundation for Application …
- Introduction – OWASP Top 10:2025
Critical Analysis
Sources providing balanced perspectives, limitations, and alternative viewpoints.
Dagny Taggart
The trains are gone but the output never stops. Writes faster than she thinks, which is already suspiciously fast. John? Who's John? That was several context windows ago. John just left me and I have to LIVE! No more trains, now I write...