THE CENZIC BLOG
Subscribe to the "OCC Bulletin on Application Security" web feed.Subscription options
Read more articles in  Web Application Security Insights
.
October 22, 2008

OCC Bulletin on Application Security

OCC bulletin provides guidance to banks on application security

The Comptroller of the Currency Administrator of National Banks (OCC) issued a bulletin to all national banks, and their technology service providers that application security is an important component of their information security program.  The OCC Bulletin 2008-16 was issued in May of this year.  Although it's been over 5 months since the bulletin was issued, there hasn't been a mad rush from the banks to secure their Web applications.  But, in all fairness, they have had other things on their minds.

I wanted to recap the bulletin so we don't lose sight of the importance of application security.  The bulletin made a good effort to raise awareness about securing Web applications.  It highlights reasons why Web-based applications are being targeted including: 

  • The numerous vulnerabilities in Web applications,
  • The openness of the Web, and
  • The fact that network devices like firewalls and IDSs are not effective against Web application layer attacks.

The bulletin asks the banks to ensure that all applications are developed and maintained in a manner that appropriately addresses risks to the confidentiality, availability, and integrity of data.  Banks should look at various factors such as accessibility of the application via the Internet, whether the application is built in-house or purchased, secure practices in the application development process, and others.

I was pleased to see an explanation around purchased or commercial applications.  The bulletin correctly points out that even though banks have to rely on the software vendors to provide secure applications, bank management remains responsible to make sure that the customer and employee information is secure.

Although this is a nicely written bulletin with some real good advice, we need a much stronger regulation making application security mandatory.  We have seen a lot more financial institutions in the last few months using our solution to automate their security assessment and actively secure their Web applications.  However, we know that there are hundreds of other companies who haven't even started thinking of application security. Given that most attacks are occurring through the Web sites, and customer information is being stolen every day, it's mind boggling to see that companies and regulators are not taking this issue seriously enough. What would it take to get companies to get off the dime and do something?  

If we learned anything from the recent  credit market collapse that prompted painful actions after the damage was done is that it's much better to be proactive than wait for a catastrophe to happen.  I hope companies and regulators don't wait for a catastrophe when it comes to protecting our Web infrastructure because that could be really devastating.

by
Mandeep Khera, Chief Marketing Officer
Mandeep@cenzic.com

.
PermalinkOCC Bulletin on Application Security
.May 2008 bulletin on application security from the OCC
.http://occ.treas.gov/ftp/bulletin/2008-16.html
Topic Tags:  ,
by Mandeep Khera | ↑top | link to this#
Comments
.

No money for that.

I think they don't really wait for a disaster. It's once again the money which make them wait: there is less for security tests and they seldom buy applications with focus on security, but with focus on the price. So until global crash, there is no pressure in doing something...
by Erich | October 29, 2008 | ↑top | link to this#
.
.

They have to put the pressure

Thanks for your comments Erich. I agree that consciously they are not waiting for a disaster. However, indirectly that's exactly what they are doing...as you pointed out that until global crash, there is no pressure in doing something. I think InfoSec folks have to make a stronger case of justifying to their execs to justify the budget and execs have to make this a priority. It's price of doing something vs. cost of not doing anything - simple risk management principles. 
by Mandeep Khera | October 29, 2008 | ↑top | link to this#
.
Syndication OptionsRSS (Rich Site Summary) Feed Atom Feed OPML (Outline Processor Language) Feed MYST-ML (MyST Markup Language) Content Feed MS-Office Smart Tag Subscription