Financial service industry takes the lead in curing the third party security headache

Conventional third party controls are no longer sufficient to cover the ever-expanding attack surface presented by web and mobile applications developed by service vendors and/or commercial software providers. The current third party controls established in the past 10-15 years were adopted by financial service firms and incorporated into their respective third party governance programs.

[Web app security best practices and the people who love them]

However, the threat landscape is fundamentally different with the proliferation of mobile, web and cloud based applications supported by third parties. The need for third party software security is so essential that a group of security leaders from the highly competitive financial services sector established a working group through the Financial Services Information Sharing and Analysis Center (FS-ISAC) to provide guidance for the rest of the industry on additive controls to address software security. Though the goal of this working group is to help improve security at financial organizations, enterprises of all kinds can and should adopt this new guidance to address the increasing danger posed by third party applications.

Every industry uses third party software to increase employee productivity, deliver the latest technology to their customers and maintain relevancy in evolving markets. In the financial services industry, this has manifested with mobile payments, hip web interfaces, and banks going social, just to name a few. Financial services has long worked to apply effective controls and protect the sensitive data flowing through these slick applications through the Financial Services Roundtable (BITS) or FS-ISAC. Though there are established controls for protecting information from software vulnerabilities of third party service and software providers, what is not established is how to ensure secure software development practices are applied by those third parties that develop software used by banks, mortgage lenders, and insurance companies.

Spearheading the need to address this risk, a group of ten leading financial service firms came together to identify and recommend control types for securing third party software development.

The working group set out to improve information protection for third party software used to process sensitive data, whether the software was developed by third parties using their own methodologies or using commercial products developed for the marketplace. The control types developed are designed to be incorporated with existing vendor governance practices and work in concert with established third party governance controls.

[Best practices for safely moving data in and out of the cloud]

These controls enable enterprises -- regardless of industry -- to assess the maturity of software providers' secure development lifecycle, ensure a process exists to identify and remediate vulnerabilities of significance, and manage risk associated with consumption of open source code in the development process. There are three control types, two of which apply directly to third party firms that develop software and one that addresses supply chain risk for internal development.

Software security is not easy to apply across large and complex enterprises that develop custom software but significant strides have been made by 67 firms that actually measure the maturity of the controls in the software developed process. The body of information available as a result is in the Build Security In Maturity Model (BSIMM) which is also the source for one of the additive controls recommended for third parties by the working group. The working group members believe that applying software security practices is the responsibility of whomever is leading the software product development process whether that is for an internal development project or one supported by a third party. Therefore, the first control type recommended by the working group focused on the maturity of the practices for the third party.

The second control type identifies security vulnerabilities for a specific version of software at a specific time, using binary static scanning, a service offered by select number of vendors. The advantage of this control type is that it identifies security vulnerabilities and shares them with the third party vendor firm who can remediate the flaws and perform another scan to confirm the fix before sharing the results with the financial institution or client firm. The financial institution never requires access to either the source code or the binaries for the security validation, but still receives a summary report of the vulnerabilities detected once it is released by the third party vendor firm. The first control type determines process maturity while the second one determines the risk of specific vulnerabilities detected or a specific version of software produced by the third party.

[Seven essentials for VM management and security]

The third control type provides a software code management process for development teams that use open source code libraries in the development process. It enables firms to choose versions of open source components they wish to promote to their developers based on use and the security risks of each library and ultimately enforce these choices through policy enforcement in the software build process. Several vendors offer this type of capability and a recently introduced vendor offers a full lifecycle management capability for the consumption of open source code libraries.

It is time the rest of the world's largest enterprises follow the lead of the largest financial services organizations and address the security of applications developed by third parties. Each working group delegate organization has adopted these controls within their own security program and seen reduced risk at the application layer. At the FS-ISAC Fall Summit, the working group will release a whitepaper describing the control types and advice for effectively applying these controls based on our own experiences. The guidance offered through the whitepaper will help financial service and other regulated industries apply controls designed specifically to address the risks of building software for the web and mobile channels.

The working group has now contributed to defining new control types specifically designed for third party software development that help companies ensure that effective information protection practices are in place. These control types enable firms to apply effective controls to the development practices of third parties.

The whitepaper will be available on the public section of the FS-ISAC website in mid-November. Software development practices have evolved in maturity and use within the industry. Companies in all industries that capture and process customer information have an explicit obligation to apply effective industry standard practices for information protection and there are now three more practices to consider to more effectively manage information security risk when working with 3rd parties.

Jim Routh is the CISO of Aetna.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about Financial Services Roundtable

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jim Routh

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place