Blog A3Sec

SecDevOps in banking

Written by Eduardo Valenzuela | 11 August, 2022

The regulations

Financial services organizations operate according to certain regulatory standards. This makes sense, as the assets and information these companies manage are valuable, sensitive and can be subject to sophisticated cyber-attacks on a daily basis. These challenges are compounded by the sheer volume of personally identifiable information (PII) that financial organizations manage on a regular basis.

PII is subject to many regulations and standards, namely Graham, Leach, Bliley (GLBA), the Payment Card Industry Data Security Standard (PCI-DSS), and the Sarbanes Oxley Act (SOX).

Today, the General Data Protection Regulation (GDPR) is also a priority regulation, as it regulates not only the processing of personal data including PII of European Union citizens, but also the processing by any organization that processes personal data of EU residents.

While different regulations and standards have different approaches, they all require the same focus on security. In particular, to comply with any of the major standards, organizations must have visibility into the risks and vulnerabilities of their software and systems (by conducting periodic vulnerability assessments) and plan to address vulnerabilities (by establishing and tracking vulnerability management plan).

 

Software and Application Development

Organizations see flexible software development as a way to gain a competitive advantage, and increasingly, as a business requirement. These faster software development methodologies, such as agile development, focus on integrated teams that include software architects, developers, and functional and security testing teams working together to deliver practical features as quickly as possible, giving organizations the ability to gain market share against slower competitors.

The addition of DevOps concepts such as continuous integration and continuous delivery (CI/CD) in a fast paced environment helps break down silos by integrating software development and operations, increase quality and efficiency, and make incremental changes available to users more quickly.

The main benefits of DevOps in the financial environment are:

  • Reduces go-to-market time
  • Automates manual and labor-intensive processes
  • Encourages team collaboration
  • Increases operational efficiency
  • Improves overall performance
  • Streamlines regulatory compliance and simplifies audits
  • Reduces development and IT infrastructure costs
  • Increases quality
  • Improves customer experience
  • Reduces downtime, failures and rollbacks

Therefore, it is necessary to have a solution that helps us to secure our applications and that is integrated throughout the software development lifecycle, with a minimum impact on the production chain and that meets the DevOps philosophy: continuous integration and continuous delivery (CI/CD) in an agile environment.

What we are looking for is a solution that detects the vulnerabilities of our software, from the earliest stages of its development, from coding; in addition, we must also take into account the open source components, so widely used in DevOps, which must also be analyzed and, if necessary, modified or updated with secure versions of these components.

If the solution is integrated into the programmer's own development environment, adding training functionalities in the development of secure code, and specifically on the vulnerabilities found in the code in real time, we will have an ideal code analysis platform.

Let's go a step further, adding application analysis in the test environment, what we know as IAST technology, which allows us to inspect configuration files, frameworks, data flows at runtime, and if we integrate it with our static code analyzer, we can know in which lines of our source code the vulnerability is found. All in the same platform, covering the entire lifecycle of application development, in real time, this is what the Checkmarx platform gives us.

Do you want to know how the Checkmarx works on the ground?