Banks gained the trust of their clients by the delivery of secure banking solutions. Client information and financial transactions are continuously protected against data leakage and cybercrime. But the IT world is changing……
IT departments adopted ‘Agile’ ways of working. So called ‘devOps’ teams deploy changes to banking solutions continuously. On a daily or monthly base all kind of new features and improvements are added to the banking apps and e-banking solutions.
Because Agile is faster and less expensive. Focus is on new functionality and the question “is the solution still secure?” comes later and sometimes too late. Penetration test show vulnerabilities which because of a lack of budget and time are not resolved before the ‘Go Live’. Risks are accepted based on good intentions, which are often not fulfilled due to the focus on new innovations.
How to solve?
The same as for functionality testing, security testing has to become part of the day to day work of a developer. Security Officers have to provide security test tooling (SAST, DAST) so that developers can deliver secure apps based on defensive coding.
At the same time, the backlog should get sufficient attention of Agile Risk Managers. Per feature in the backlog, stakeholders should assess the risks of a new feature. The secure devOps teams should also create (evil) user stories and other controls. In this way business can check concepts and identify risks in a timely way.
Instead of waiting for the results of the Penetration test, it is Continuous integration of risk management and security from backlog to delivery which will deliver ‘secure user stories’ and ‘secure apps’.