A Fortune 50 Financial Institution Deploys More Secure Software in Less Time

The Company

A top five financial Institution in the US.

The Challenge

This financial institution is faced with an increasing number of sophisticated attacks to defraud customers. They are also forced to keep up with increasing rules and regulations mandated by the government. In order to follow all regulations and combat the threats, the company’s central security group routinely performs extensive manual reviews on all of its Internet-facing applications before enabling them to go live.

This manual review process usually takes three to four weeks per application and consumes valuable resources. It also frequently results in delays of scheduled releases and occasional “risk managed deployments,” where the organization is forced to field an application with known vulnerabilities, causing possible infection or downtime.

• Key Challenges

  • Increasing number of attacks
  • Growing number regulations
  • Long process to review code
  • Increased software application development time
  • Occasional risk-managed deployments

The Solution

The financial institution decided in 2004 to license a source code analysis tool that could automate and accelerate the tedious process of reviewing applications. After an extensive review, it chose Fortify Source Code Analysis (SCA) because it had the most comprehensive analysis package, it was easy to integrate, and the development teams liked using it. Within weeks, this financial institution began realizing benefits.

The Results

As a result of Fortify Software’s engagement, the bank was able to:

• Cut audit times in half

• After adopting Fortify SCA, this bank cut audit times from four weeks down to two weeks. These improvements allowed the bank to free up valuable resources and hit scheduled release dates with greater accuracy.

• Deploy more secure software

• The security team was and remains confident that, with the addition of source code analysis, they are now finding 100% of the issues in the categories they deem critical, such as cross-site scripting. The previous manual inspection process did not allow them to review every line of code, leaving open the possibility that some critical defects were being missed.

• Secure software earlier in the lifecycle

• Several of the bank’s development teams are now using Fortify SCA to perform checks prior to submitting their code to the security team. The result is that the security team now only rarely finds critical defects, such as a cross-site scripting vulnerability.

Fortify SCA has reduced the number of schedule slips and the number of “risk managed deployments.” The reduction in critical defects also significantly improves policy enforcement because when a security problem does surface, it now receives appropriate attention.

• Fortify Benefits

  • Increases level of security
  • Meets many new regulations
  • Drastically reduces time to conduct an audit
  • Eliminate 100% of vulnerabilities deemed security-critical

The Conclusion

Since first licensing Fortify Software, the customer has steadily increased its number of licenses throughout the organization’s infrastructure, from individual security auditors to the development team servers to developer desktops. With additional teams now showing interest in adopting the product, this organization aims to have over a thousand licenses in the future. Fortify Software has become an integral part of the software application development life cycle and has enabled the customer to release the most secure applications possible in a much shorter amount of time.

About Fortify Software

Fortify Software products protect companies from today’s greatest security risk: the software applications that run their businesses.

Combining deep application security expertise with extensive software development experience, Fortify Software has defined the market with award-winning products that span the software development cycle. Today, Fortify Software fortifies the software for the most demanding customer deployments, including the world’s largest, most varied code bases.

Fortify Software is the software security vendor of choice of government agencies and Fortune 500 companies in a wide variety of industries such as energy, financial services, healthcare, e-commerce, media, telecommunications, publishing, insurance, systems integration, and information management.

Read more security risk management case studies.