With worldwide cyber crime losses creating havoc in financial industries, financial institutions are focusing considerable attention towards the security of their outward facing web applications. There are many critical security vulnerabilities in the majority of web applications.
The bank relies heavily on a number of third-party commercial software and outsourcing providers to help drive its core banking systems. Application vulnerabilities and security breaches are very steadily on the rise. According to Gartner, 75% of new attacks target the application layer, and software vulnerabilities have reached an all-time high. Against this backdrop, the bank was justifiably concerned about potential security issues arising from these third-party providers and decided to take a proactive approach to software assurance.
Green Method provided the innovative testing methodology of Veracode, a world leader in SAAS testing. Veracode provided the patented binary testing of the application code. Veracode Security Review, a subscription-based application security testing solution, underpins Bank’s implementation of secure procurement practices and enables them to manage both their own and their customers’ risk profile.
To initiate the project the bank quickly identified 15 applications to be verified from different product vendors. Since Veracode is the only provider that can inspect software executables (binary code), the external supplier was able to upload its code to Veracode’s on-demand code assurance platform without exposing any of its intellectual property in the form of source code. This is an absolute breakthrough.
Veracode performed its fully automated analysis and assigned a security rating for each application in the form of a letter grade from A (best) to F (worst) to determine the security level of the supplier’s applications. Veracode’s ratings are based on internally established industry standards such as the Common Weakness Enumeration (CWE), the Common Vulnerability Scoring System (CVSS) and the National Institute of Standards and Technology (NIST).
These three standards help provide context around the vulnerability type, the score and the business criticality of each application.In addition to providing high-level security ratings, Veracode delivered very detailed remediation roadmaps back to the software vendors to help outline a path of achieving software assurance. This remediation roadmap is based on a prioritized list of software vulnerabilities that are ranked depending on ease of remediation and level of severity. Based on this roadmap, the pilot vendor fixed the flaws that were found in the initial analysis within two weeks of receiving the initial report, re-submitted the applications for another scan, and received a score that was well within the Bank’s range of code acceptance.
Key benefit for the bank and all vendors is that Veracode’s rating system provides a common and consistent benchmark that can be used to clearly determine security risk levels and thresholds as well as tracking progress over time. In the case of the bank, the bank determined that third-party applications had to achieve a pre-defined minimum rating to meet software acceptance criteria by the bank.