Major Credit Group

Introduction of DORA presents new challenges

All financial industry participants already need to comply with many regulatory requirements. Within the European Union (EU), this has recently been expanded to include the Digital Operational Resilience Act (DORA). This promotes Europe-wide convergence on the requirements financial institutions must adopt to raise the security of their digital systems. As part of it, financial entities need to conduct vulnerability assessments before introducing or re-introducing new or existing services. They also are required to test all critical applications and systems at least once a year.

A major credit group needed to integrate appropriate testing tools within its software development cycle to increase the level of resilience of its software solutions and prepare for DORA compliance. The credit group turned to its trusted partner, Join Business Management Consulting. This strategy and management consulting firm is ranked among the fastest-growing companies in Europe by the Financial Times and Il Sole 24 Ore. “We initially carried out a market analysis to identify the solutions that met the client’s requirements, such as the need to introduce static code analysis mechanisms within the application lifecycle,” explains Maurizio Garofalo, Head of the Risk, Compliance and Cybersecurity Practice at Join Business Management Consulting.

We consider the adoption of the ‘security by design’ principle in our software lifecycle management a building block of our cyber resilience strategy. Fortify has proved to be the ideal technology partner for this in terms of depth, breadth, and precision of vulnerability analysis, DevOps integration, and service model flexibility.

Fortify exceeds expectations compared to alternatives

Garofalo continues: “We identified Fortify as the best solution for the credit group’s needs. In fact, in addition to the criteria we determined with the client, Fortify outshone other solutions in a number of ways. First of all, we like the superior level of reliability and rich functionality that comes from being an established solution, recognized as market leader by leading analysts: Gartner, Forrester, IDC, and G2. We also appreciated the broad language support and the opportunity to use Fortify both in an on-premises mode for easy inclusion in the development cycle infrastructure, or as a flexible service in the cloud, more suitable for our client’s software partners. These benefits came at a similar cost to that of far less performant solutions.”

Fortify is the inclusive and extendible suite of application security solutions with two decades of experience and continuous improvement. Fortify solutions enable end-to-end application lifecycle management by providing static code testing through its static application security testing (SAST) module, dynamic code testing with its dynamic application security testing (DAST) module, and software composition analysis (SCA) to ensure the security of any open source code components that are used. Using sophisticated artificial intelligence (AI) technology, Fortify allows automated security checks to be performed on code as it is written, suggesting changes required to ensure the code is as robust as possible. “The level of protection provided by Fortify facilitates DevSecOps development models and regulatory compliance in multiple areas, including the financial sector,” comments Garofalo.

Full DORA compliance and improved vendor collaboration

The start of the project involved Fortify on Demand, providing application security as a service without the need for additional infrastructure or resources. This is particularly valuable to validate software from external or commercial vendors, often small software companies specializing in banking solutions. The credit group cannot share its source code with external vendors, as it is protected by intellectual property law, nor can it accept code that hasn’t been checked according to its own software development standards. However, leveraging Fortify on Demand, the credit group can offer external vendors access to application testing via a code security scan. This allows the credit group to obtain an independent security certification to ensure that the security of the software conforms with its requirements.

The credit group leverages Fortify’s on-premises solution within its three in-house development factories where pre-defined languages are used. The first factory focuses on the development of home banking applications and its related apps for mobile access. The second factory develops the core applications for the group’s information system that manages communication between its 180 branch offices. The third factory develops the software used to create debit, credit, and pre-paid cards. “The Fortify hybrid deployment model, with on-demand and on-premises capabilities, is central to all software development at the credit group by ensuring that every code component is checked and corrected on the fly before it goes into production,” explains Garofalo.

50% reduction in code vulnerabilities and 15 critical applications successfully implemented

The introduction of Fortify led to the successful and seamless implementation of 15 business-critical applications, including both developed code and Open Source components. Following the Fortify process, 100 percent of new software releases are secured and certified against the Open Source foundation for application security (OWASP) top 10, as well as sysadmin, audit, network and security (SANS) top 25 standards. The credit group has identified a 50 percent reduction in code vulnerabilities associated with its developers’ higher level of security awareness through the introduction of Fortify and a gamified training program. The credit group’s CISO comments: “We consider the adoption of the ‘security by design’ principle in our software lifecycle management a building block of our cyber resilience strategy. Fortify has proved to be the ideal technology partner for this in terms of depth, breadth, and precision of vulnerability analysis, DevOps integration, and service model flexibility.”

Garofalo concludes: “The credit group is delighted with Fortify’s ability to strengthen application development security, eliminate code vulnerabilities, and comply with DORA regulations. It also leverages the Voltage SecureData Payments by OpenText solution to ensure payment data encryption.

This simplifies PCI compliance and protects clients’ credit card data in e-commerce applications, as well as web and mobile payments. Given the success of both Voltage and Fortify, the credit group is considering integrating the two to provide further value.”

Fortify is central to all software development at the credit
group by ensuring every code component is checked
and corrected on the fly before it goes into production.