hp novagalicia

IndustryFinancial services

ObjectiveQuickly and accurately assess the security of diverse applications resulting from a recent merger

ApproachDeploy the HP Fortify on Demand security-as-a-service testing solution

IT matters• Rapidly analyzes code written in a large number

of programming languages

• Provides line of code–level detail with suggestions on how to remediate vulnerabilities

• Increases security awareness of the development staff

Business matters• Enhances compliance posture for internal

and external audit, including PCI

• Enables the bank to start small and grow as required to meet business requirements

• Cloud-based model eliminates the need to invest in dedicated hardware and software for application security

“HP Fortify on Demand not only helps us improve application quality in terms of security, it also increases our developers’ awareness of security issues and use of best practices—a key component of PCI compliance.” – Roberto Baratta, CISO, Novagalicia Banco

Strong code analysis solutionTwo years ago Novagalicia Banco—the trading name of NCG Banco, S.A., a Spanish bank based in Galicia—was created as the result of a merger between Caixanova and Caixagalicia savings banks. For CISO Roberto Baratta, it was déjà vu all over again. A security professional with more than 11 years’ experience in the financial services industry, Baratta had been through many such mergers. He knew that trying to assess and improve the security of the discrete applications coming from myriad sources would be a daunting task. After evaluating multiple options, Baratta chose the security-as-a-service (SaaS) testing solution HP Fortify on Demand to handle the job.

Case study

Novagalicia secures critical applications with HP FortifySpanish bank values accuracy, ease of use, flexibility, and speed of cloud-based solution

Case study | Novagalicia Banco

The IT department performed a rapid integration over the course of six to eight months. One of the main challenges in integrating the IT systems of the two different companies was to rationalize all the legacy, new, third-party, and in-house applications. Baratta knew the first steps were to identify the scope of the applications, collect pertinent information, and test the level of security in the code. Going forward, Novagalicia Banco will extend the access and authorization control to all applications.

The way forwardIn its exercise of due diligence, the bank designed a comprehensive proof of concept (PoC) to check a piece of two applications: the corporate website and online banking. Three different vendors were asked to explain and demonstrate their solutions and perform a “real” analysis on-premise. The PoC made it clear that HP Fortify on Demand would meet the bank’s requirements very well in terms of usability and accuracy. The capacity and flexibility of the HP solution also stood out: “Some of our needs were based on ‘personalized flavors’ of programming environment, such as Java,” Baratta says. “HP Fortify on Demand was able to analyze all of this code with minimal adaptation. The large number of programming languages supported by HP Fortify on Demand is a key benefit for Novagalicia Banco.”

The bank has already started running ad hoc analyses on the source code of its approximately 400 applications, starting with critical areas such as mobile banking, e-banking, payment gateways, corporate websites, and wire transfer. Once this assessment is complete, Baratta and his team will meet with the development groups to agree on specific application security and code quality goals. “We will plan an application source code review for each new development, or significant update of current applications, before going into production,” he says. “This includes extending the scope of the kind and number of applications scanned, including financial and department applications.”

Over time, HP Fortify on Demand will be fully integrated into the software development lifecycle, such that programmers can use the solution as part of their daily routine. “Once it has been implemented into the developers’ desktop environment, we will increase the awareness of secure design and programming, and involve the development teams more in ‘security by design’ processes,” says Baratta. Novagalicia Banco also plans to require third-party code providers to scan their applications for possible vulnerabilities.

2


Key benefitsOf the many important benefits that HP Fortify on Demand provides for Novagalicia Banco, one of the most important is a function of the solution’s SaaS model. “We use the solution as an automated, on-demand service, and we love it,” says Baratta. “The security-as-a-service approach was a very important factor when we were considering our alternatives. In evaluating various solutions, we found the quality of service to be really impressive with HP Fortify on Demand.”

The SaaS model gives Novagalicia Banco the flexibility to start in a very focused manner and grow as necessary, without making a dedicated investment in hardware and software. “It is perfect for us,” continues Baratta. “We are starting small; however, we fully expect to incorporate HP Fortify on Demand as an integral part of the lifecycle design. In the future we may even implement the functionality on-premise, but for now, the flexibility of the SaaS model is very valuable to us.” Baratta adds that HP Fortify on Demand drives productivity enhancement for Novagalicia Banco by reducing the amount of supervision related to application logs and controls.

On-premise HP security experts effectively augment Baratta’s in-house resources in all phases of the project. “The most valuable service they provide is to correct and simplify the reports,” says Baratta. “This gives us a ‘human expert’ view that makes it possible to reduce the time and effort we need for interpretation of the results.” HP Services also supports several business processes for the company, including the help desk, business process outsourcing, and the Security Operations Center. Adds Baratta, “HP is a critical partner for Novagalicia Banco.”

Focus on application securityHP Fortify on Demand plays a key role in compliance, as well. “We always try to demonstrate value to the business with any project we undertake,” says Baratta. “When we started to evaluate application security solutions, we realized that a significant value-add would be enhanced compliance with internal and external audits, including Payment Card Industry (PCI) requirements. HP Fortify on Demand not only helps us improve application quality in terms of security, it also increases our developers’ awareness of security issues and use of best practices—a key component of PCI compliance. The solution has definitely increased our level of compliance in PCI and other requirements.”

Baratta has found HP Fortify on Demand very easy to use. “We work with the different development groups to create a calendar for uploading the code,” he explains. “Then we schedule meetings in which my staff and the developers perform the analysis. It is a very collaborative process: They submit the code together, and they review the results together. My staff is really happy with this solution.” Assessments are delivered in a report featuring a consistent five-star rating system, typically in one day. Results are correlated and prioritized by severity and exploitability. Issues identified include line of code–level detail with suggestions on how to remediate the vulnerabilities that are detected.

3


HP Fortify on Demand has already resulted in a positive impact on the overall organization. The quality of applications has increased, with fewer errors and less need for support. Baratta’s assessment also shows a reduction in information and technology risk across the bank’s application environment.

As the threat landscape continues to evolve and change, so too does the area of focus for Novagalicia Banco and similar institutions. “In the past we fought at the perimeter, and we are still fighting there,” concludes Baratta. “But the main concern now is application security. The number and complexity of applications has increased significantly in the last few years, as we strive to quickly deliver new services to our customers. This is clearly an area of vulnerability. I feel very comfortable that HP Fortify on Demand can help us counter this growing threat effectively—and, with no hardware or software to deploy or maintain, quite affordably.”

Learn more at hpenterprisesecurity.com

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

4AA4-6609ENUS, July 2013

Customer solution at a glanceSolution• HP Fortify on Demand

HP services• On-premise staff augmentation

Rate this documentShare with colleaguesSign up for updates hp.com/go/getupdated

http://www.hpenterprisesecurity.com

http://deploy.ztelligence.com/start/index.jsp?PIN=168M59L2W4H8Z&filename=4AA4-6609ENUS

http://www.facebook.com/sharer.php?u=http://h20195.www2.hp.com/V2/GetDocument.aspx?docname=4AA4-6609ENUS

http://twitter.com/home/?status=Novagalicia%20secures%20critical%20applications%20with%20HP%20Fortify%20on%20Demand+%40+http%3A%2F%2Fh20195.www2.hp.com%2FV2%2FGetDocument.aspx?docname=4AA4-6609ENUS

www.linkedin.com/shareArticle?mini=true&ro=true&url=http%3A%2F%2Fh20195%2Ewww2%2Ehp%2Ecom%2FV2%2FGetDocument%2Easpx%3Fdocname%3D4AA4-6609ENUS&title=Novagalicia+secures+critical+applications+with+HP+Fortify+on+Demand+&armin=armin

http://www.hp.com/go/getupdated

hp novagalicia

Technology