Monetary Authority of Singapore (MAS) Embraces SAST

Nov 15, 2013 By Sharon Solomon

Application security in Financial Information Systems (FIS) has become a must in today’s malicious cyberspace. Due to the wide range of solutions in the market, many software executives find it hard to pick the right defense strategy for their systems, which contain highly sensitive details and valuable information.

The Monetary Authority of Singapore (MAS) now officially requires all FIS in the country to use SCA/SAST tools for optimal protection.  This procedural update, which appears in the authority’s Technology Risk Management Guidelines (2013), makes a lot of sense. Let’s take a closer look at this development.

Penetration (Pen) Testing – What is it all about?

This philosophy is basically about trying to simulate the hacker’s actions in order to expose vulnerabilities. The results are accurate, but are quite incomprehensive. This is due to the complete dependence on the testers’ skill-sets and their knowledge of exploits, not to mention the limited time they get to complete the project.

It’s also worth mentioning that Pen Testing is not a pocket-friendly method, as it’s usually carried out by experts or companies hired exclusively for the job. Despite the various limitations, MAS does mention and recommend Pen Testing for FIS, but only on an annual basis as an extension of the overall security strategy.

What is SAST and why is it so highly recommended?

Static Source Code Analysis (SCA) solutions are designed for identifying, tracking and fixing security flaws from the root. These source code tools provide a high degree of flexibility and configurability by supporting a wide range of programming languages, OS platforms and frameworks.

“Black-box (functional) testing is not an effective tool in identifying or detecting these security threats and weaknesses,” MAS clarifies in its 2013 guideline book.

MAS goes on to stress the importance of the methodical examination of the source code. Advantages of SAST such as finding gaps and mistakes, error handling, function parameter verification and reliability improvement are highlighted. SAST also improves code quality and programming practices, according to the latest MAS release.

With millions of dollars at stake and thousands owners genuinely concerned for the safety of their investments, the need for strong Source Code Scanning is of utmost importance.  Singapore has already taken a giant step towards safe and secure banking with MAS requiring all FIS to implement Static Source Code Scanning.

It’s only a matter of time before other countries follow suit.

MAS Technology Risk Management Guidelines (2013) 

The following two tabs change content below.

Sharon Solomon

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

Get a Checkmarx Free Demo Now

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.