As many financial institutions (FIs) are undoubtedly aware, New York State has taken what may be an unprecedented stance on issuing detailed cybersecurity requirements to a large number of FIs operating in New York. Organizations must comply with regulations over an 18 month transitional period. Apart from banks that are under supervision of the Office of Comptroller of Currency, many financial institutions will face the regulatory need to have a holistic application security program for the first time. FIs will be required to adopt an application security program by September 3rd, 2018.
In particular, the requirements state in Section 500.08 that FIs will be required to enforce secure development practices and provide auditable proof of their compliance:
(a) Each Covered Entity’s cybersecurity program shall include written procedures, guidelines and standards designed to ensure the use of secure development practices for in-house developed applications utilized by the Covered Entity, and procedures for evaluating, assessing or testing the security of externally developed applications utilized by the Covered Entity within the context of the Covered Entity’s technology environment.
(b) All such procedures, guidelines and standards shall be periodically reviewed, assessed and updated as necessary by the CISO (or a qualified designee) of the Covered Entity
While developing an application security policy is well within the purview of many organizations, FIs will be challenged to provide auditable evidence that their security team is following a secure development process. For many organizations, one critical component of this program will be using security testing tools, namely Static Analysis Security Testing (SAST), Dynamic Analysis Security Testing (DAST), and/or Interactive Application Security Testing (IAST) tools. These tools will help find a subset of application security vulnerabilities in an automated way and often form the start of an application security program. Unfortunately, they are insufficient to show that a company has followed a holistic secure development program and, on their own, will be unlikely to satisfy sophisticated auditors. Moreover, relying solely on testing tools is risky for CISO who attests to the effectiveness of the cybersecurity program.
Luckily, a new emerging class of tools help provide a robust, scalable secure SDLC program with auditable reports.
Application Security Requirements and Threat Management (ASRTM) tools provide several capabilities to build in security into the SDLC with auditable evidence. Critically, ASRTM output can be provided to third party developers to show they too are building secure applications.
ASRTM complements but does not replace SAST, DAST and IAST. Coupled with a solid foundation of security awareness training, ASRTM enables teams to systematically build and maintain secure software.
ASRTM solutions have four major capabilities:
- Threat modeling: The ability to generate a specific list of relevant security threats for software based on minimal user input. ASRTM solutions eschew slow & complicated data flow diagrams and trust boundaries and instead rely on basic user input to generate relevant threats.
- Requirements generation: ASRTM solutions generate security requirements/controls based that prevent the threats it modeled. These requirements may include code samples, doing away with the need to maintain large, static secure programming guides.
- ALM integration: Many modern development teams make extensive use of Application Lifecycle Management (ALM) tools like JIRA. In order to minimize impact on development teams, the requirements should be a part of the application/product backlog just like functional user stories and other tickets. Effective ASRTM solutions should be able to track the status of requirements being completed in the ALM solution and provide a single dashboard for security teams.
- Testing integration and aggregation: SAST, DAST and IAST tools all play a critical role in partially ensuring the security of software. ASRTM solutions integrate with these solutions and aggregate the results from disparate tools to demonstrate which requirements have been completed and which ones haven’t. Moreover, they provide instructions on how to manually test or build custom automated tests to verify requirements not covered by scanners.
ASRTM solutions will allow you to holistically measure how secure your applications are, rather than how many vulnerabilities a test or tool found by providing information on:
- What threats & requirements an application has
- Which of those requirements are implemented
- Which of those requirements are verified through testing
When putting together your plan on how to comply with the NYS DFS Cybersecurity law, be sure to include an ASRTM solution.
Learn more about how Security Compass’s ASRTM platform, SD Elements, can help FIs comply with the new regulations here.