The recent issuance of the OCC Bulletin 2008-16 alerted financial institutions of the risks posed by insecure software and recommended steps banks should take to reduce risk and protect their critical data. Historically, banks have lacked an effective and cost-efficient manner to analyze the security of software. Security testing has been limited to manual analysis by consultants, using internal teams with source code tools or trusting software vendors to test their own code. None of these approaches scale to cover entire application portfolios (as required by the OCC), and can add significant time and costs to projects.
This whitepaper outlines how these limitations can be overcome by following five best practices that institutions can use to secure their applications. The whitepaper also offers insights on how to:
- Mitigate risk from commercial software, outsourced development, and contracted software for both internal and web-facing applications
- Create best practices for securing internal and third party code
- Define security standards with software vendors - including FREE sample outsourcing and COTS contracting language