Leading Bank Turns Security into a Differentiator with Fortify SCA

The Company

A large U.S. bank and leading provider of online banking services to millions of customers.

• Key Challenges

  • Protect brand and reputation
  • Eliminate most obvious vulnerabilities
  • Analyze code base exceeding 50 million lines of code across thousands of applications
  • Streamline code review process
  • Integrate software security processes into software development life cycle

Top-Down Support, the Key to Success

1. Very strong executive involvement

• The bank's code review group, which reports directly to the CEO, is a strong team with veto power over any code base. Senior management at the bank understood that secure coding was necessary and provided the support, resources and incentives to train employees.

2. Establishing the gate

• The Security team was given authority to prevent code deemed insecure from deployment to production by using Fortify as a final check. This "gate model" gave the Security team the leverage needed to push software security requirements upstream. Today, this bank differentiates itself among competitors as one of the most secure online banks.

Banking on Secure Software

As a pioneer in online banking applications, and one of the largest commercial Java development shops in the world with 10,000 developers, this institution was well aware of the security issues it faced. The number of sophisticated attacks to defraud customers was on the rise, and new forms of computer threats were emerging at a faster rate than ever. The punishment handed down by customers and clients on companies perceived to be insecure can be a mass exodus of customers and profits. A 2006 study by the Ponemon Institute showed that 34 percent of customers would change their bank after one breach, and 45 percent would leave after two breaches. This bank was concerned that many of its legacy code bases contained vulnerabilities, such as SQL Injection and Cross-site Scripting, that even unsophisticated hackers could exploit — not to mention many more less obvious vulnerabilities.

The bank tried to address these issues with regular audits, but with many teams writing code for various business units, the code base swelled to more than 50 million lines, creating backlogs and delaying development as the Security team attempted to keep pace. The manual process of reviewing each application was taking time and valuable resources. The result was frequent delays of scheduled releases and occasional "risk-managed deployments" where the organization was forced to field an application with known vulnerabilities. If the bank wanted to ensure the safety of its applications and deliver new applications on time, it would need a way to integrate automated security processes into the software development life cycle.

Phase 1: Using Fortify Internally

Selecting the Right Static Analyzer

The biggest challenge the bank faced was efficiently and accurately auditing enormous volumes of code. The traditional, manual approach to secure the many thousands of applications supported by the bank simply could not scale. In 2004, the bank decided to license a source code analysis tool that could automate and accelerate the tedious process of reviewing applications.

After an extensive review, it chose Fortify Source Code Analysis because of its unique capability to enable the Information Security team to analyze, document and assess the relative security status and business impact of a vast number of applications. Fortify had the most comprehensive analysis solution, it was easy to integrate and the development teams felt comfortable using it. With Fortify SCA, individual developers didn't need to become deep software security experts to identify and fix important security issues. And running Fortify SCA was easy. When developers invoked Fortify, audit teams simply needed to access Fortify's output, called FPR files, and source code. Fortify also supported a breadth of programming languages, including Java, C, C++, PL/SQL, XML and .NET. In addition, it could integrate easily with multiple development environments – a critical capability for this bank where every development team writes code differently.

Getting Developers to Embrace Security

Once selected, Fortify performed installation and basic product training throughout the initial implementation. Once implemented, Fortify conducted a "train the trainer" program that enabled the bank to educate its central security and development teams on the solution. Fortify provided an on-site expert for 12 months to facilitate implementation details such as creating custom documentation and structuring project management.

During training sessions, participants used their own code. The "shock and awe" value of having developers discover vulnerabilities in their own code made these sessions especially relevant and valuable as "real work" was accomplished and the hands-on environment ensured the transfer of knowledge. These sessions served not only as training exercises, but as mentoring opportunities as well. Approximately every two weeks, a new group of developers will incorporate Fortify into their process. To date, more than 1,000 developers use Fortify's solutions in numerous groups across dozens of development offices in the US.

Using Fortify

Code audit teams at the bank use Fortify Manager, Rulepacks and Audit Workbench to audit source code. Fortify Manager provides auditors with a quick view, or status, of software security across their entire project's portfolio, allowing them to systematically understand and manage software security risks through a range of metrics.

Fortify Manager compares project teams across the enterprise for compliance to corporate software security metrics and identifies teams that require additional investment in security education and focus by security auditor teams.

Fortify Manager can be used to prepare periodic, detailed audit reports of projects using the Audit Workbench and Software Security Manager to characterize the security and regulatory compliance status of those projects. These reports, contained in the Software Security Manager, can be viewed by all authorized personnel.

Code Audit teams work with project teams to identify tuned Secure Coding Rulepacks used by developers in specific projects or teams. Rules Builder can be used to define custom secure coding rules to create enterprise-wide secure coding policies, while Audit Workbench can perform targeted analysis of critical components for applications in development.

Developers can also leverage the capabilities of Fortify Manager, Audit Workbench and Rules Builder in their development efforts. Fortify Manager allows development teams to view full analysis results and reports for projects they are working on or projects they lead. They can also compare results of their projects against other groups and projects, and they can monitor vulnerability trends in their projects and manage toward meeting corporate security metrics.

With Audit Workbench, developers can drill down into complex issues, audit security analysis results and prioritize issues based on their knowledge of product architecture and implementation. Audited security issues can be entered into defect-tracking systems for individual developers to fix their code.

Developers can work additionally with the auditing team and security architect to tune the analysis by creating custom coding rules using Rules Builder for libraries and extensions used by their projects.

Phase 2: Scanning Third-Party Software

The bank routinely receives source code from third-party vendors that is deemed critical from a security standpoint. The bank uses Fortify software to identify security vulnerabilities in open-source packages, major independent software vendor (ISV) code and specialized banking applications. Code found to be insecure may be rejected, as specified in contractual agreements, until the supplier demonstrates that necessary changes have been made.

The Benefits

Fortify continues to offer the bank expert guidance in the areas of code auditing, deployment strategies and advanced uses of the Fortify technology. Fortify also continues to provide secure coding education to developers. The bank estimates that this training has helped reduce code vulnerabilities by more than 20 percent.

Fortify has not only reduced vulnerabilities, the cost of code reviews is also less. And, unlike the tedious manual reviews of the past, Fortify SCA provides 100-percent line-of-code (LoC) coverage of reviewed applications multiple times during the project life cycle. With consistent, accurate reviews, and virtually all instances of reported issues detected, the resulting code presented to the review team is cleaner with no coding issues.

Faster reviews translate into tighter project development cycles with reductions of up to 50 percent. Desktop reviews help to educate developers, reinforcing secure coding behavior, and facilitate the discovery of vulnerabilities during the development phase.

• Fortify Benefits

  • Fewer code vulnerabilities
  • Reduced cost of code review
  • Increased code review capability
  • Faster development cycle
  • Brand and reputation protected

About Fortify

Fortify products protect companies from today's greatest security risk: the software applications that run their businesses.

Combining deep application security expertise with extensive software development experience, Fortify has defined the market with award-winning products that span the software development cycle. Today, Fortify software fortifies the software for the most demanding customer deployments, including the world's largest, most varied code bases.

Fortify is the software security vendor of choice for government agencies and Fortune 500 companies in a wide variety of industries such as energy, financial services, healthcare, e-commerce, media, telecommunications, publishing, insurance, systems integration and information management.

View the original PDF

Read more security risk management case studies.