Application Security Testing for Large Bank
The client is a $10 billion bank, having won several international accolades for business excellence and was one of the first banks in Asia to offer an online banking service.
Information Security has always been a top priority for the bank. In 2007, the Top Management of the bank mandated that all applications be reviewed for security within the next 18 months. With 800+ applications, and two new applications launched every week, that was an ambitious goal. This case study summarizes the systems and processes we put in place to meet that goal.
- Among India’s largest banks
- 800+ applications deployed in the bank
- 2 new applications launched every week
- Multiple vendors supplying software to the bank
- Policy mandates “all applications be reviewed for security”
- Goal : Test 800+ applications within 18 months
The Strategy
To rationalize the testing effort, each application was rated on a 3-point scale after a Risk Assessment. Low risk apps would be reviewed against a basic security compliance checklist. Medium risk apps (~50% of the population) would undergo thorough gray box testing. High risk applications would be subject to code review.
Business owners initiate their applications for the security review program. They answer a standard questionnaire that helps the security team gauge the risk level of the application. The applications were then automatically rated for risk based on: sensitivity of data handled by the application, exposure to the internet, and criticality of the application.
Paladion testing team then tests all applications as they emerge from the pipeline based on the risk rating. |
