Because of the financial magnitude of DTCC's daily dealings through its numerous web applications, it can't afford to have its developers make the same kind of security mistakes that their colleagues at other organizations make during the development lifecycle, says DTCC Chief Information Security Officer Jim Routh.
"The use of web-based applications force us to essentially poke holes in the perimeter for information flow from our web applications to our customers in back, so the whole concept of a perimeter starts to get a little fuzzy. At the same time, threat trend data began suggesting that those that are interested in unauthorized access to the network are looking for vulnerabilities elsewhere — and the most likely targets are web applications," Routh says. "This is where a host of vulnerabilities is likely to exist because, from an industry perspective, we didn't put a whole lot of thought into things like buffer overflows and cross-site scripting, and we also made the assumption we could keep people out of our networks."
This is why in 2005, when Routh was revamping the information security program at DTCC, his first priority was web application security. But, unlike some security practitioners, Routh wasn't focusing on just securing code. Instead, he wanted to tackle the broader issue.
"What we decided is instead of attempting to achieve an objective of developing secure code, we chose to focus on developing the knowledge and expertise in all of our application developers to be able to both design information security controls into the applications as they're developing, and understand and remediate vulnerabilities in the development process."
First in Routh's mind was improving developers' training and education. This meant focusing on daily practice, as well as on their use of vulnerability scanning during development.
"When they looked at the web application challenge, I think the real focus was two-fold," says Michael Weider, founder and chief technology officer for Watchfire, which provided one of the web application scanning tools DTCC chose for its security push. "One is to put in a program that would begin to make application security part of the software development lifecycle — so that they are testing all critical applications before they go live."
The second part of the challenge is to focus on education, says Weider. "Developers have traditionally not been trained very well on security. I think what they really focused on is changing the culture of the organization, changing the process and priorities to make security as important as function and features."
Paradigm shift
The cultural shift necessary to modify the habits of hundreds of developers in an organization doesn't come overnight. In order to kick-start the security awareness at DTCC, Routh developed an engineering task force to do cross-functional testing during the development lifecycle. It was also necessary to do outreach with the developers when mistakes were found.
"We developed an integrated test team that wasn't dedicated to any particular project. So a development project would develop code and it would run, let's say, a web-based application that may pull information from a database on the server and another database on the mainframe," he says. "In order to test that application we have to see how that transaction flows from platforms, across the server, across the mainframe and back. So this team was set up to conduct that kind of testing of complex applications across platforms."
In order to accomplish its goals, this team was armed with Watchfire AppScan. The program is used to probe for vulnerabilities and to provide insight into the underlying problems that caused the flaws in the first place.
"They're using that on our higher risk cross-platform applications. It's another level of vulnerability scanning that takes place. The information is fed back to the application development teams to remediate the vulnerabilities that are identified prior to going through another test cycle and being put into production," Routh says.
Spreading the word
While project developers already have a more traditional vulnerability scanning application in their toolbox, he armed his security testing team with Watchfire AppScan because of the contextual help it provides. He says it enables them to offer the right advice to developers once they are finished testing.
"The reports are passed back to the developers as defects. Through that process they are able to stop applications from going live that have critical problems," Weider says. "By getting these reports back to the developers and sitting down with the security professionals and walking through these defects, the organization is able to improve its overall security IQ and to better understand the mistakes of the past."
Arming this special security task force with Watchfire AppScan is only one piece to the puzzle, Routh says. Day-to-day developers also have a program called Code Assure that they use to scan for vulnerabilities on a consistent basis. And Routh has honed in on spreading education through a grassroots campaign among developers.
"We chose our best and brightest application developers and we put them through an exclusive information security training program. That program teaches them not only how to use vulnerability scanning tools in the development cycle, but how to integrate the new deliverables and activities in the software development methodology that we used. We essentially taught them awareness around how to design applications from a security standpoint," Routh says. "We called them our mavens, and we certified them and asked them to coach other developers in their business areas to help them learn the practices."
Currently, DTCC has designated 40 of its 450 developers as security mavens, and Routh says the plan is to gradually train more as time goes on. He believes the more that are trained and the more often his security task force meets with developers, the better his chances to change the way security is built into applications.
And though their security efforts may not be directly bringing money into the company, it is enabling their applications to run efficiently, thus assuring customers.
"We have developers who spend most of their time developing code. That's driving the value proposition through to customers who use our services. And that is exactly what we want them to focus on," he says. "But our customers have expectations for resiliency and for security of those applications. So we have an obligation to ensure that they can count on that security. And that means designing application security into all of the products we offer to the market."