Companies operating in the financial services sector today need to comply with many complex regulatory standards. This makes perfect sense given that both the assets and information managed by these companies are valuable and sensitive, and as a result are targeted by advanced cyberattackers. ..
Further complicating these challenges is the large amount of personal information (PII) handled by such organizations, which is subject to numerous industry standards and general data protection regulations. Some regulations, such as PCI-DSS, are explicit, while others are more common, stating that PII simply needs to be protected from attack. However, to comply with key regulatory standards, organizations need visibility into software risks, vulnerabilities, and data flows. You also need to have a system and plan to address these.
Financial services organizations have historically been strong in adopting application security testing tools, but they can do much more to accelerate their efforts and keep them going.
So what specific steps can companies in this area take to address the security of software they create for the rest of 2021? And how does this help in the long run?
Risk ranking application
From a business risk perspective, not all applications are created the same, so the first step in mitigating risk is to quantify the inherent risks associated with each application. Organizations can achieve this by using risk-first methodologies to rank applications based on their potential damage to a company’s business goals as a result of a successful attack.
For example, the security of an online banking application that allows customers to transfer funds, execute large transactions, and change privileges is critical to a bank’s business goals. Violations of such applications can cause significant financial, regulatory, and reputational damage. In contrast, there may be internal applications that do not process sensitive information or have a limited attack surface. From a business value perspective, these are less important and do not guarantee the same scrutiny from a security perspective.
Risk ranking is a good way to get started, enabling time- and resource-constrained security teams to apply the right resources to their most risky applications to maximize operational efficiency. .. The result is an application inventory that includes the risk ranking for each application. You can then allocate resources according to the risk ranking of each business application.
Establishing clear security requirements
To achieve true DevSecOps, teams must agree on “metrics” for proper security. This requires open and continuous communication and collaboration between development, security, and operations teams, as metrics vary by application type. For open source components, these requirements should include an understanding of each project, including the degree of community support, security history, and open source licensing requirements. For custom code and complete applications, it is imperative to have an agreement that explicitly states when security testing will take place and under what conditions builds should be interrupted.
For example, an organization may (and should) prevent an application from being deployed if a “critical” vulnerability is identified. The application’s automatic build process should be stopped if that condition is true.
Continuously identify vulnerabilities
Security should be integrated into all phases of software development for financial services organizations. Not only does this approach improve the security of your DevOps environment (ie DevSecOps), but previously discovered vulnerabilities are usually less complex and less time consuming to fix, resulting in faster time to market and development costs. To reduce.
Static application security testing (SAST) solutions can be integrated into SDLC through the source code repository from the beginning of the code phase, when checking in new source code or adding it to the automated build process. You can use Software Configuration Analysis (SCA) in early builds to identify open source dependencies, map components to exposed vulnerabilities, and continue the testing / QA phase. Integrated Application Security Tests (IASTs) can be run during automated functional testing during the test / QA phase.
By integrating the above into continuous integration (CI) orchestration, teams can automate the process and perform incremental scans of modified code only. In contrast, solutions that take hours to scan a complete application build do not fit well into a DevOps environment.
Allow developers to code safely from the beginning
It’s important for security teams to play an active role in engaging and collaborating with DevOps counterparts right from the start. Education here is very important.
The security team of a financial services organization should train the DevOps team for specific attack methods and common hacking techniques, and provide the tools needed to identify vulnerabilities when writing code. It also needs to act as a soundboard throughout the process. By providing continuous feedback and being able to answer secure coding questions on demand, security teams can significantly reduce the time required to fix vulnerabilities, improve security, and deliver software. Can be made more predictable.
By establishing best practices and making Secure Coding Education (SCE) an ongoing process, security teams can make it easier for developers to code safely from the start. Developers are more likely to accept relevant training, retain lessons learned more easily, and ultimately become a better security champion for their organization. It’s also helpful to identify the security champion of your development team specifically, be the person you can count on for security questions, and be more connected to your security team compared to other development teams. I will.
Remembering application security is not a one-time task.
Open source components and frameworks have distinct advantages, such as lower development costs and faster time to market. However, to maintain strong security, it must be analyzed during the coding and construction stages. And that’s not all.
It is important to keep an eye on open source software for newly disclosed vulnerabilities throughout the SDLC.Some vulnerabilities such as ShellShock (CVE-2014-6271) It was discovered decades after the original vulnerability was introduced. Without visibility into both the version of the open source component and its location in the code base, it is very difficult to find and fix a vulnerability. Effective application security today must be ongoing.
Create a course for security success
Today, malicious attackers offer large amounts of PII used to steal personal information, but the impact of data breaches goes far beyond embarrassment for businesses. Attacks can damage reputation, shareholder value, and in some cases corporate leadership. And that’s before heavy fines, increased legislative investigations, and continued public distrust.
The way financial services organizations build software today is dramatically different than it was ten years ago, helping new development models deliver software faster than ever before.
Financial services organizations have a good track record to date, but the SDLC needs to be strengthened and ongoing from an early stage. Combine SAST, SCA, and IAST results to integrate different test tools into one holistic view. In such a highly competitive market, offering something that has not been tested for security issues throughout the development process is no longer an option. The risk is simply too great.
We rely on both the software itself and its security to complete billions of transactions each day. From the very beginning of SDLC, it’s time to ensure security integration. It only helps companies in this area better manage, measure, and address risk, empower development teams, and ensure secure software delivery at DevOps speeds.
Want to learn about DevOps from space leaders? Please check DevOps-as-a-Service SummitHeld on October 7, 2021, participants will learn about the benefits of building collaboration and partnerships in distribution.
2021 Financial Services Software Security Initiatives
Source link 2021 Financial Services Software Security Initiatives