Articles

Are you FAST enough for SAST & DAST?

This article talks about the application development security challenges and why Static and Dynamic Application Security Testing is important for organizations launching Web and Mobile applications

M K Mohan , Secure Network Solutions (SNS) Feb 22nd 2018 A-A+

Banking and Financial Sector companies have come a long way from the conventional banking system to modern means of providing various services to the customers at their finger trips. Long days of wait for cheque clearances, long queues at tellers and the rate of which each transaction used to occur is long gone. Now you have Internet Banking System, Mobile Banking System, and Interactive Video Customer Services. Opening of bank accounts through tablets right from the customer’s home, online transactions through NEFT (National Electronic Fund Transfer), RTGS (Real Time Gross Settlement), IMPS (Immediate Payment Service), payment wallets and several such new features have modernized and simplified banking activities. Technology brings fantastic benefits.

However, the IT teams of these financial sector organizations who are into modernization face tremendous challenges. On the customer front, they need to ensure intuitive, colourful and easy to use customer interfaces that ensure their customers do not have to be computer savvy to use their applications. But on the back-end, it all ends-up with millions of lines of coding, software development and integration to multi-channel interfaces.

Not all off-the-shelf applications can be utilized in all banking environment. Bespoke development is required to meet the specific needs of the local regulations, target customer base and modes of interaction.

Secure coding practices are now incorporated as a first lesson in programming. Any ‘bug’ unintentional or intentional brings risk and exposure that may result in downtime, data loss and financial implications. Constantly evolving threats mean the development team can never conclude ‘Our product is ready to be launched’!

Scanning of source code, identifying vulnerabilities of the code and remediating the gaps are important factors of source code analysis. Prevention of application layer vulnerabilities and Web security breaches mean half-the-battle won.

Banks have realized the need to ensure highest security to the customer data and transactions while adopting the modern technologies. Security begins right from the first step of development of the software application. Therefore, Static Code analysis becomes the first step in Application Security. Similarly, once the application goes online, the behaviour of the application in various scenarios (the running state) need to be tested for any vulnerabilities as well. Together, Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) tools are key in the Bank’s IT Security armoury.  And both these tools should be tightly integrated throughout the Software Development Life Cycle (SDLC).

Here is a simple checklist: Are you launching custom developed web and mobile applications for your customers? Are you handling critical data? Are you fast enough to adopt SAST and DAST?