Information security in financial services is one of the highest priorities for C-level executivesCEOs don't want the bad press and liabilities associated with a security breach, and CIOs know that their phones will be the first to ring when data is compromised. Adding to the urgency of the issue, the number of reported security vulnerabilities and the cost per incident continue to rise, according to a 2005 CSI/FBI Computer Crime and Security Survey.
In most IT shops, however, applications are not properly tested for security flaws during the development life cycle and, therefore, come to market riddled with vulnerabilities, asserts Pravir Chandra, chief security architect and cofounder of Secure Software, an automated application security products and process technology vendor. In fact, it often is during the development phase of business applications that most software vulnerabilities can emerge, he points out.
Still, many organizations view security and application development as separate disciplines. Part of the problem, it seems, is that security teams often are called in to add security to software post-development, rather than working alongside developers during the development process. Additionally, "There is a lack of knowledge by most developers about what vulnerabilities they are supposed to be looking for when they build software," explains Ted DeZabala, principal, securities services group, Deloitte & Touche. As a result, vulnerabilities often are not adequately addressed.
However, the Depository Trust & Clearing Corporation (DTCC), which handled more than $1 quadrillion in securities transactions last year alone, is tackling the issue head on. By using a customized software security development process, the DTCC is attempting to protect itself from application security breaches before the vulnerabilities are created. It is building security measures into its software during the development stage, and is advising other financial institutions to do the same.
Soft on the Inside
Many financial services firms have devoted significant portions of their IT budgets to protecting the perimeters of their organizations with such devices as firewall technology, intrusion detection systems, and sophisticated switches and routers, notes Jim Routh, chief information security officer at the DTCC. "These kinds of controls have, indeed, enabled organizations to mitigate the risk of external parties accessing their network, and therefore their sensitive information," he says. "But, unfortunately, the periphery is not where organizations are now most vulnerable." In fact, the root cause of most security breaches can be traced to programming bugs that leave openings for attackers, according to a 2004 report from Business Roundtable, an association of 150 CEOs from leading U.S. corporations that deals with public policy issues.
Now, instead of breaking into an institution from the periphery, hackers have found that the most efficient alternative is an inside job. "Hackers or crackers will always take the path of least resistance to achieve their goals," says Routh. "Therefore, because the perimeter security controls have improved significantly, they are now gravitating toward exploiting vulnerabilities in the software." Instead of using scanning technology to assess the feasibility of penetrating a network perimeter, hackers are using this technology to identify vulnerabilities in Web-based application code, Routh relates.
To help combat the problem, the DTCC has put in place a comprehensive information security program with a core component designed to address application security. Through this program, it is embedding the rigorous discipline of assessing the risk of an application from a security standpoint earlier in its systems development life cycle. The mitigation efforts are less costly this way, as opposed to going back and doing vulnerability scans and remediation activities after the software has been developed, according to Routh. "We made a conscious effort to do the intervention earlier in the life cycle, and it has shown some additional positive benefits in improving both security and resiliency," he says.
To help in the effort, the DTCC turned to Secure Software. The vendor's systems development methodology, called CLASP (comprehensive, lightweight, application securities process), is a series of prescribed activities that are incorporated into an organization's software development life cycle. CLASP prescribes various steps that any organization developing software may use as part of what Secure Software calls its seven best practices. "They are the seven things that you can look at that you should be striving toward," says Secure Software's Chandra.
One of the seven steps is instituting an awareness program to educate the organization on what is important and why, and who is accountable. Another is the establishment of an assessment strategy, which helps to determine what the inspection process will be, how the results are to be analyzed and how to prioritize them. "A lot of problems get introduced because there is information that the development group has but operations does not, so the right way to configure this has to be secured," Chandra explains.
As part of its program, the DTCC customized deliverables (methodology artifacts) from CLASP and guidance from Secure Software for its own development life cycle. "Rather than seek technology solutions, we sought to enhance our system development life cycle with additional deliverables in order to satisfy our need for information security control," says the DTCC's Routh. The organization added eight new deliverables to its development process specifically designed to identify and remediate information security vulnerabilities during the development process, he adds.
The DTCC also brought in a number of tools to help its developers scan and assess the vulnerability risks of software code, Routh explains. One such tool is Secure Software's CodeAssure product suite, an automated application security testing tool designed to help organizations locate and fix vulnerabilities in code during the development phase. "We use Code Assure to scan code," Routh states. "[It] is useful to developers to help them understand how to apply good practice to remove vulnerabilities during the development process."
The DTCC also believes that education must be a core element of an application development security program, and it has begun implementing a comprehensive educational program for its 450 application developers. The program sets out to "improve their understanding of best practice in applying information security to the development process by targeting the specific educational requirements for multiple stakeholder groups within the development organization," Routh explains.
The DTCC also is encouraging other financial services firms to step up security measures in their software development processes. Many have been receptive to the idea and are now "putting the same requirement on third-party software providers that the DTCC is putting on ourselves, which includes the mandatory use of available vulnerability scanning technology for software code in order to ensure the integrity of the software" prior to purchasing, relates Routh.
Still, the lack of attention given security vulnerabilities during software development remains a big problem. "It is not a problem that is going to correct itself overnight," says Deloitte & Touche's DeZabala. "But the trend is toward stronger development practices and pre-implementation testing."