The customer, a top 3 UK financial institution with assets in excess of ?800 billion has made a strategic decision to improve the agility of its software development cycle through the use of web scale architecture and rapid provisioning offered by AWS. However, with a preference to keep all code within the organisation’s own data centres, it was felt that additional security measures were required to protect critical applications moving from the organisation into AWS.
The institution has been working with Tantallon, an independent cyber security consulting firm that provides advisory, implementation and managed services to Fortune 1000 clients and government organisations on a global basis.
As Steve Street, Managing Director for Tantallon explains, “We looked at a number of options, but Checkmarx was the only solution suited to this project as it meets the typical requirement from the financial services sector that no proprietary code should leave an institution’s premises for inspection, while still offering the capability of enforcing and automating code scanning, prior to release to a given Public Cloud.”
The first part of the two stage project has already helped the institution successfully deploy a fully integrated Checkmarx CxSAST static code analysis on-site solution as part of secure Software Development Lifecycle transition, which is scanning millions of lines of code each week. Stage two takes this technology and places a version in AWS offering an equivalent system that automates the scanning process as a last step for apps before making their way to the cloud.
Checkmarx CxSAST is a powerful source code analysis solution that provides tools for identifying, tracking, and repairing technical and logical flaws in the source code. Without needing to build or compile a software project's source code, CxSAST builds a logical graph of the code's elements and flows which is examined for issues such as security vulnerabilities, compliance issues, and business logic problems. CxSAST comes with an extensive list of hundreds of preconfigured queries for known security vulnerabilities for each programming language including Java, PHP, Scripting languages, like Java Script, and also .NET technologies (C#, vb.Net). Additionally, Checkmarx is scanning mobile platforms such as Android, iOS and windows mobile.
CxSAST provides scan results to the customer as either static reports or in an interactive interface that enables tracking of runtime behaviour per vulnerability through the code, and provides tools and guidelines for remediation. Results can be customised to eliminate false positives, and various types of workflow metadata can be added to each result instance which can be used for subsequent scans to further increase performance.
“Checkmarx has the additional benefit of offering both proprietary and open source code analysis,” explains Street, “along with industry leading support for widest number of languages and deployment methods which is essential as the organisation explores a number of innovative new applications built using the latest development languages.”
The project is part of a wider move to adopt the cloud across the UK Financial services sector as regulatory and compliance hurdles have been overcome through clarification and agreement with the FCA. “The typical application development cycle within financial services has traditionally been sluggish as development teams struggle to navigate through the complexities of the internal processes across disparate systems and networks while adhering to both internal and regulatory guidelines. This project has the potential to help the institution become more agile in its development lifecycle, while strengthening security across the board.” The onsite phase is already deployed while the AWS portion of the project, which will automate much of the development workflow is now underway with more details to follow at a later date.