UK financial services institution secures application transition to public cloud

Innovative static code analysis solution defines best practice approach to securing automated public cloud application release while accelerating development process.

  • 8 years ago Posted in
Checkmarx, together with its partner Tantallon, is working with a major UK financial services group to create a new type of ‘belt and braces’ approach to securing and deploying its applications into the Amazon Web Services cloud.
The customer, a top 3 UK financial institution with assets in excess of ?800 billion has made a strategic decision to improve the agility of its software development cycle through the use of web scale architecture and rapid provisioning offered by AWS. However, with a preference to keep all code within the organisation’s own data centres, it was felt that additional security measures were required to protect critical applications moving from the organisation into AWS.
The institution has been working with Tantallon, an independent cyber security consulting firm that provides advisory, implementation and managed services to Fortune 1000 clients and government organisations on a global basis. 
As Steve Street, Managing Director for Tantallon explains, “We looked at a number of options, but Checkmarx was the only solution suited to this project as it meets the typical requirement from the financial services sector that no proprietary code should leave an institution’s premises for inspection, while still offering the capability of enforcing and automating code scanning, prior to release to a given Public Cloud.”
The first part of the two stage project has already helped the institution successfully deploy a fully integrated Checkmarx CxSAST static code analysis on-site solution as part of secure Software Development Lifecycle transition, which is scanning millions of lines of code each week. Stage two takes this technology and places a version in AWS offering an equivalent system that automates the scanning process as a last step for apps before making their way to the cloud.
Checkmarx CxSAST is a powerful source code analysis solution that provides tools for identifying, tracking, and repairing technical and logical flaws in the source code. Without needing to build or compile a software project's source code, CxSAST builds a logical graph of the code's elements and flows which is examined for issues such as security vulnerabilities, compliance issues, and business logic problems. CxSAST comes with an extensive list of hundreds of preconfigured queries for known security vulnerabilities for each programming language including Java, PHP, Scripting languages, like Java Script, and also .NET technologies (C#, vb.Net).  Additionally, Checkmarx is scanning mobile platforms such as Android, iOS and windows mobile.
CxSAST provides scan results to the customer as either static reports or in an interactive interface that enables tracking of runtime behaviour per vulnerability through the code, and provides tools and guidelines for remediation. Results can be customised to eliminate false positives, and various types of workflow metadata can be added to each result instance which can be used for subsequent scans to further increase performance.
“Checkmarx has the additional benefit of offering both proprietary and open source code analysis,” explains Street, “along with industry leading support for widest number of languages and deployment methods which is essential as the organisation explores a number of innovative new applications built using the latest development languages.”
The project is part of a wider move to adopt the cloud across the UK Financial services sector as regulatory and compliance hurdles have been overcome through clarification and agreement with the FCA. “The typical application development cycle within financial services has traditionally been sluggish as development teams struggle to navigate through the complexities of the internal processes across disparate systems and networks while adhering to both internal and regulatory guidelines.  This project has the potential to help the institution become more agile in its development lifecycle, while strengthening security across the board.” The onsite phase is already deployed while the AWS portion of the project, which will automate much of the development workflow is now underway with more details to follow at a later date.
Talent and training partner, mthree, which supports major global tech, banking, and business...
On average, only 48% of digital initiatives meet or exceed business outcome targets, according to...
GPUaaS provides customers on-demand access to powerful accelerated resources for AI, machine...
TMF Group, a leading provider of critical administrative services for global businesses, turned to...
Strengthening its cloud credentials as part of its mission to champion the broader UK tech sector...
Nearly all UK IT managers surveyed (98%) state cloud investment is an organisational priority for...
LetsGetChecked is a global healthcare solutions company that provides the tools to manage health...
Node4 to the rescue.