Financial institutions are known to have in place some of the most advanced application security practices and tools. A new benchmarking study out this week shows that even among these well-funded security programs there are still big gaps in application security. Fewer than half require their third-party vendors to have similar policies and standards. Only about 46% of organizations measure how long it takes to remediate vulnerabilities, just 38% track whether developer teams are even using the security tools mandated by policies, and only 15% measure completion of security requirements.”]