Companies rely on computer applications to ensure accurate, timely, and confidential processing of information and data. Vulnerabilities, particularly those associated with Web-based applications, are increasingly the focus of attacks from external and internal sources for the purposes of committing identity theft, stealing intellectual property, denying services and other types of fraud.


Web-based applications are most frequently associated with retail and banking, cash management, and brokerage accounts; however, they also facilitate many other Web-accessible services. Web-based applications are being targeted for several reasons, including:

(a) easy Internet access by all: noncustomer, customer, employees, servicers, and vendors;

(b) traditional network defenses (i.e., network firewalls, intrusion detection) may not detect or prohibit unauthorized activity;

(c) a breached application may provide perpetrators unauthorized access to sensitive/company confidential data that supports the application (e.g., customer databases, financial records) and;

(d) known vulnerabilities due to weaknesses in application development and information assurance processes.


Some application manufacturers mitigate application security risks by incorporating security into their development and assurance processes. Those processes include well-defined recurring action steps that identify and monitor vulnerabilities, notify users of vulnerabilities, and provide remediation or corrective measures. Applications developed internally, purchased, or contracted for may not be subject to similar risk mitigation measures and, therefore, may expose the organization to increased risks.


Risk Management Considerations

As part of their information security program, national banks should ensure that all applications are developed and maintained in a manner that appropriately addresses risks to the confidentiality, availability, and integrity of data. National banks should include application security in their risk assessments, including those required by Interagency Guidelines Establishing Standards for Safeguarding Customer Information.6 The scope of a company's application security efforts may vary depending on the size and complexity of the bank and the nature of its software applications.


Key factors that management should consider in their risk assessment of an application include:


  • Accessibility of the application via the Internet;

  • Whether the application provides the ability to process or provide access to sensitive data;

  • Source of application's development; such as, in-house, purchased, or contracted for;

  • Extent that secure practices are used in the application's development process;

  • Existence of an effective, recurring process to monitor, identify, and remediate or correct vulnerabilities; and

  • Existence of a periodic assurance process to validate independently the security of the application.


Customers that purchase applications typically rely upon the vendors to provide secure applications. However, the company’s management remains responsible for ensuring that the application meets the security requirements at procurement, deployment and thereafter. As needed for purchased software, organizations should expand their vendor management program to include application security considerations in their request for information (RFI) or request for proposal (RFP) process. An attestation from the vendor that their software development process follows secure SDLC development practices and is periodically tested may suffice for some applications. For more critical applications that present higher risks, companies may require vendor evidence of adherence to sound processes and validation through third-party testing and/or audits. All applications purchased should be supported by appropriate vulnerability identification and remediation processes, including appropriate vendor support. Additionally, companies should ensure that their ongoing testing process (e.g., penetration, vulnerability assessment) includes purchased and contracted applications.


To ensure maximum effectiveness, organizations that develop applications in-house should consider following an enterprise-wide effort that is coordinated across business lines and includes the following elements:


  • Incorporating appropriate attack models in risk assessments to assist in determining the security and assurance requirements for the application.

  • Analyzing the environment in which the application will reside. As the environment changes, the security requirements and assurance needs for the application may or in most cases should change. An organization's information security program should consider these control factors in assessing overall risk on an ongoing basis.

  • Ensuring that any open source application used by the bank is also subject to appropriate development and assurance processes.

  • Ensuring that appropriate internal personnel (i.e., management, developers, security, and auditors) are trained sufficiently to understand, and be aware of, risks associated with the organization's technology environment.

  • Engaging in periodic application testing or validation based on a current risk assessment to ensure the ongoing and appropriate protection of transactions and customer data. Testing considerations may include:

    • Static, dynamic, and functional evaluations, depending on the type and criticality of the application.

    • Automated evaluations using commercial or freeware tools, as well as manual interaction to supplement application tools.

    • Authenticated and non-authenticated user scenarios.

    • Comprehensive testing in a simulated production environment including appropriate operating systems and associated databases. The weakest link in several connected components may expose the entire system to compromise.

    • Implementation of lessons learned iteratively throughout the development and periodic testing processes.

    • Identification and monitoring of company-developed applications for vulnerabilities through an ongoing and defined process that includes appropriate communications and remediation.


We encourage our clients and customers to leverage our expertise and available resources to assist in risk identification and improve their application security practices. Software tools, industry resources, specific certifications, and education courses are available to provide assistance to enhance the company's application development architecture; e.g., software development lifecycle and assurance processes. We follow industry standards, guidelines and frameworks form organizations and regulatory bodies such as OWASP, CERT, The Department of Homeland Security, the NSA, as well the National Institute of Standards and Technology (NIST).

Additionally, we assist you in establishing continuous monitoring mechanisms to receive and respond appropriately to vulnerability reports from public and private sources, including reports from FS/ISAC, US-CERT, Internet Storm Center and any other groups that detect, analyze, and report vulnerabilities.