Application security in Financial Information Systems (FIS) has become a must in today’s malicious cyberspace. Due to the wide range of solutions in the market, many software executives find it hard to pick the right defense strategy for their systems, which contain highly sensitive details and valuable information.
The Monetary Authority of Singapore (MAS) now officially requires all FIS in the country to use SCA/SAST tools for optimal protection. This procedural update, which appears in the authority’s Technology Risk Management Guidelines (2013), makes a lot of sense. Let’s take a closer look at this development.
Penetration (Pen) Testing – What is it all about?
This philosophy is basically about trying to simulate the hacker’s actions in order to expose vulnerabilities. The results are accurate, but are quite incomprehensive. This is due to the complete dependence on the testers’ skill-sets and their knowledge of exploits, not to mention the limited time they get to complete the project.
It’s also worth mentioning that Pen Testing is not a pocket-friendly method, as it’s usually carried out by experts or companies hired exclusively for the job. Despite the various limitations, MAS does mention and recommend Pen Testing for FIS, but only on an annual basis as an extension of the overall security strategy.
What is SAST and why is it so highly recommended?
Static Source Code Analysis (SCA) solutions are designed for identifying, tracking and fixing security flaws from the root. These source code tools provide a high degree of flexibility and configurability by supporting a wide range of programming languages, OS platforms and frameworks.
“Black-box (functional) testing is not an effective tool in identifying or detecting these security threats and weaknesses,” MAS clarifies in its 2013 guideline book.
MAS goes on to stress the importance of the methodical examination of the source code. Advantages of SAST such as finding gaps and mistakes, error handling, function parameter verification and reliability improvement are highlighted. SAST also improves code quality and programming practices, according to the latest MAS release.
With millions of dollars at stake and thousands owners genuinely concerned for the safety of their investments, the need for strong Source Code Scanning is of utmost importance. Singapore has already taken a giant step towards safe and secure banking with MAS requiring all FIS to implement Static Source Code Scanning.
It’s only a matter of time before other countries follow suit.