Secure Application Development Training - Investment Bank
Client
The client is one of the world’s largest investment banks with application development teams located globally.
Client Requirement and Business Drivers
The main driver for the requirement for training of the software development community was the recognition that:
- It is a fact that the majority of security vulnerabilities are found in the application layer;
- Despite many initiatives regarding security, and regular, comprehensive testing of systems, security issues at the application level were still a primary area of concern and frequently the reason for re-work on projects and the cause of security incidents;
- Timescales on most application development projects were critical to meeting business requirements;
- There is always a delicate balance between functional requirements, business needs, and security risk;
- Developers are usually focused on ensuring that business functional requirements are delivered within the timescales set down by the business.
- In this environment, it was frequently too easy to overlook critical flaws in design or not follow best practice development methodology.
The bank therefore implemented an initiative to focus on reducing security vulnerabilities early in the software development lifecycle; a critical element of this was training for the large development community around the world. The first step was to establish a common level of awareness of application security issues and how to address them.
It was decided to engage with commissum as an independent, expert to propose a “quick fix” solution to spreading awareness with minimal disruption to the day to day operational activities of the developers. The solution agreed with the bank was a small bespoke e-learning package (a training "nugget") based on the OWASP top 10 security vulnerabilities
commissumServices Provided
The bank decided that for reasons of expediency, and simplicity of implementation, the e-learning would be delivered through a small, bespoke Flash module developed by commissum – a training “nugget” that would form part of the longer term initiative to raise awareness and implement training. This module would be distributed globally, throughout the enterprise; the mini training “nugget” was made mandatory for all development team members.
The features provided by the training “nugget” included:
- As a stand alone Flash based module it was very cost effective to implement and simple to distribute;
- It highlighted the typical issues and vulnerabilities that are found in most web based applications – essentially based on the OWASP top 10 with some tailoring for the bank specific issues:
- Using simple graphical animation and interaction, the training nugget demonstrated:
- What the vulnerabilities are;
- How the vulnerabilities manifest themselves and result in security issues; and
- How developers can avoid these issues.
- The training “nugget” included a simple method of tracking successful completion through multiple choice questions;
- The trainees were required to complete the course and print a completion certificate generated by the system as proof of completion
As a first element of the banks global training initiative this was a great success. The engaging, self paced training “nugget” had a strong, immediate take-up in the development community, with strong satisfaction levels recorded by the trainees. The interest created by the initiative had a very positive effect on the security awareness of the community, and created a very positive attitude with respect to the more detailed training initiatives that followed
- Case Study 1 - Online Banking Project Assurance
- Case Study 2 - Government Data Handling, BCP & ISO27000 consultancy
- Case Study 3 - Oil & Gas Industry - Asset Tracking System Project Assurance
- Case Study 4 - Professional Institute - Strategic Security Review
- Case Study 5 - Government Agency - Business Continuity Exercise
- Case Study 6 - Government Agency - CLAS Services for Accreditation
- Case Study 7 - National Engineering Group - Security Programme
- Case Study 8 - Application Service Provider - Investor Due Diligence
- Case Study 9 – Global Legal Firm - Annual Test Programme & Security Partnership
- Case Study 10 - Investment Bank - Secure Application Development Training
Get in touch with one of our security consultants today
- No obligation
- Expert advice
- Tailored solutions
"commissum provided us with a high quality service. We found the project team helpful and flexible in responding to changes in requirement; the technical staff in particular were excellent. All commitments including deliverable timescales were met and I would have no hesitation in recommending commissum.”
Mr A Moretti, Executive Director for IT Security Risk Management, Global Investment Bank
"commissum recently provided us with services to assess a web application and supporting infrastructure. I was impressed with the consultants throughout the project, by their technical knowledge, flexibility, open communication and willingness to go that extra mile. Of particular benefit was the sound advice given both during and after the engagement. By identifying vulnerabilities promptly, accompanied with practical recommendations on how to address them. We were able to implement improvements quickly. Good value, a job well done.”
JM, Infosec Analyst, International Investment Bank
