MAS, Monetary Authority of Singapore

Comments

Transcription

MAS, Monetary Authority of Singapore
Highlights
Risk Management Framework: Enforces
enterprise application security policies and
automates risk analysis.
Scale and Speed: Analyzes thousands of web
applications for vulnerabilities in days, not
months.
Automated Source Code Review: Integrates
into the SDLC with minimal impact on
development organizations.
Integrated Penetration Testing: Simulates real
world attacks using vulnerabilities found by
automated assessments and integrates results
reporting.
Assess Vendor Applications: Utilizes a
patented analysis technique for analyzing
vendor-supplied software.
Rapid Time to Compliance: Provides
actionable advice and support options for faster
remediation by developers.
Streamline Costs: Implements a SaaS model
that provides consistent costs regardless of
application testing frequency.
Integrated Reporting: Using a single
dashboard consolidates penetration testing,
vulnerability assessment, and remediation
results.
MAS Compliance Simplified
A persistent application security program is an important component of
complying with the Monetary Authority of Singapore (MAS) Technology
Risk Guidelines. Veracode simplifies compliance for financial
institutions by providing automated, independent verification of
application security controls for internal and external auditors.
The Monetary Authority of Singapore (MAS) actively supports Singapore’s role as a
key regional financial center by encouraging sound security practices and controls
within financial institutions. To reach this objective, MAS has released a Technology
Risk Guidelines paper to the financial community with outlining draft requirements
for legislation in late 2012.
The guidelines are designed to improve monitoring of technology risk management
and MAS takes an active interest in how financial institutions implement the
guidelines. As financial applications become increasingly complex and
interconnected with other business applications, sustaining compliance with MAS
guidelines becomes more difficult without a repeatable and automated solution for
implementing application security and risk management controls.
Veracode enables financial institutions to embed automated application security
controls into their software development lifecycle (SDLC), software change
management, and software acquisition processes. By using automated controls,
financial institutions can cost-effectively assess their application security risk,
manage vulnerability remediation, and sustain compliance with MAS Guidelines.
Veracode’s cloud-based platform delivers a practical risk management framework,
which is required by the MAS Guidelines, for assessing the severity of application
vulnerabilities. This framework combines industry standards, including the MITRE
Common Weakness Enumeration (CWE), the FIRST Common Vulnerability Scoring
System (CVSS), and the NIST definitions of security assurance levels, producing an
easy-to-use policy management interface. CISOs can assign pre-defined or custom
security and remediation timeline policy options to specific applications based on
vulnerability risk severity and application criticality.
The Veracode platform automates vulnerability assessment and simplifies
penetration testing throughout software development, acquisition, and deployment
as key application security controls. Actionable details and remediation support
enable developers to rapidly eliminate application vulnerabilities.
www.veracode.com
© 2012 Veracode, Inc.
All rights reserved. All other brand
names, product names, or trademarks
belong to their respective holders.
The results are consolidated and the appropriate reporting dashboards and
compliance reports are generated for decision makers and auditors as proof that
application security controls are in place to comply with the MAS Guidelines. The
reports can be sent directly to auditing teams or integrated with corporate
governance, risk, and compliance (GRC) applications such as RSA Archer through
Veracode APIs.
MAS Guidelines Related to Application Security
MAS Technology Risk Guidelines
The Veracode Advantage
3. OVERSIGHT OF TECHNOLOGY RISKS BY BOARD
AND SENIOR MANAGEMENT

Deploy Rapidly and Globally – Provides a single web portal for diverse
teams to manage risk across all applications.
IT policies, standards, and procedures should be established
to manage technology risks and ensure adequate oversight
within the organization.

Executive Dashboards – Track the progress of the risk management
program and policy compliance improvements over time.
4. TECHNOLOGY RISK MANAGEMENT FRAMEWORK

A technology risk management framework should be
established to manage technology risks in a systematic and
consistent manner that performs vigilant monitoring and
identification of mutating and growing risks.
Policy Management – Provides many options for defining security policy
including test methodologies, test frequencies, and remediation timelines
based on flaw severity or industry standards such as OWASP and
SANS/CWE.

Risk-Based Standards – Veracode combines industry standards to
automatically classify application security vulnerabilities and prioritize
remediation efforts based on flaw severity.

Automated Updates – Security policies are automatically updated to
match annual changes in industry standard vulnerability severity lists
such as the OWASP Top Ten and SANS/CWE Top 25.
5. MANAGEMENT OF IT OUTSOURCING RISKS

Service providers should implement security policies,
procedures, and controls that are at least as stringent as for
their own operations.
Vendor Application Security Testing – Veracode VAST Program
analyzes and attests to the security posture of vendor-supplied software
services with compliance reporting against enterprise IT security policies.

No Source? No Problem – Only Veracode provides binary code
assessments without requiring the original source code.

SDLC Integration – Plugin and API integration automates testing every
application build. Vulnerability results are delivered directly to developer
IDEs and QA bug tracking systems.

Remediation Support – On-demand access to Veracode security
experts enables developers to learn secure coding best practices as they
remediate vulnerabilities.

Automate Source Code Review – Only Veracode’s binary static
analysis automates detection of malicious backdoors, information
leakage flaws, script injection, and buffer overflows.
7.1 CHANGE MANAGEMENT

Prior to deployment, a risk and impact analysis should
determine if the change would create security issues on
affected systems or applications.
Process Integration – Veracode automates security testing aspects of
change management procedures while maintaining independent activity
logs and approval documentation.

Approval Procedures and Tracking – Supports custom approval
procedures and automatically tracks workflow activities.

Application Perimeter Monitoring – Veracode APM solution rapidly
assesses web application vulnerabilities, delivering results within days
enabling remediation within the current quarter.

Cost-Effective Penetration Testing – Testers leverage APM results to
simulate actual attacks on the system.

Integrated Reporting – Single platform for reviewing vulnerability
assessment and penetration testing results, and simplifying compliance
reporting by application.
12.2 MOBILE SERVICES AND PAYMENTS SECURITY

Security measures that are similar to those of online
financial and payment systems should also be implemented
on the mobile online services and payment systems.
Comprehensive Mobile Support – Veracode is the only application
vulnerability assessment solution supporting iOS, Android, Blackberry,
and Windows Mobile applications.

Secure Mobile Development Environment – Veracode partners with
Good Technology to provide a development and policy enforcement
platform for creating secure, custom mobile applications.
14. IT AUDIT

On-Demand Audit Testing – IT audit organizations can independently
conduct assessments at any time.

On-Demand Analytics – IT audit organizations can independently
analyze compliance and remediation status data at any time.

Independent Testing Methodology – Veracode security tests are not
configured by individual development teams, ensuring testing
independence and reporting consistency across all applications.
6. ACQUISITION AND DEVELOPMENT OF INFORMATION
SYSTEMS
Requires source code review included into the system
development lifecycle (SDLC) as black-box testing is not an
effective tool in identifying or detecting security threats and
weaknesses.
9.4 VULNERABILITY ASSESSMENT AND PENETRATION
TESTING
A combination of automated tools and manual techniques
should be deployed to conduct vulnerability assessments
quarterly and penetration testing annually.
The independence of the IT audit function must be
preserved to provide the board and senior management with
an objective assessment of the effectiveness of risk
management controls.

Similar documents