The St. Petersburg bank checks web applications for security using PT Application Inspector

In January, 2018 the Positive Technologies company announced that the St. Petersburg Bank uses service of the company according to the instrumental analysis of the source code of web applications based on PT Application Inspector for control of security of the developed remote servicing systems.

Prerequisites

The St. Petersburg bank regularly improves the RBS systems and pays much attention to information security of all developed services. With upgrade of the RBS systems we are helped by external developers. Despite high qualification of specialists, there is always a risk that in the updated application critically dangerous vulnerabilities can appear. It is important for us that all updates of RBS were reliable and in time reached our clients therefore we impose quality requirements of the code, to the speed of identification and correction of vulnerabilities. For carrying out the periodic analysis of security we addressed experts of Positive Technologies who have the confirmed competences of security issues of banking systems — Anatoly Skorodumov, the head of department on information security support of St. Petersburg bank told.

Project Progress

The research of security of finance applications conducted by Positive Technologies showed that the web applications developed by vendors on average contain twice more vulnerabilities, than developed by banks independently. The majority of shortcomings of protection can be avoided at a development stage if regularly to carry out the analysis of the source code of applications, including using the automated means.

Experts of Positive Technologies offered management of information security of bank regular service according to the analysis of security using PT Application Inspector intended for automation of search of vulnerabilities. At the first stage audit of the source code of the developed web applications of the RBS systems using PT Application Inspector is booked. Further experts of department of the analysis of security of Positive Technologies execute validation of the received results and prepare the report with assessment of the current level of security of the application and also recommendation about correction of vulnerabilities. This approach allows to perform verification of the vulnerabilities and errors found by PT Application Inspector using practical demonstration of the attacks on the application, explained in the company.

Result

The automated analysis allowed service cybersecurity of bank to reduce time of acceptance of updates.

Information security department specialists of bank could implement control of the source code developed by third-party contractors, having made the minimum efforts. Thanks to ample integration opportunities of PT Application Inspector the code did not leave perimeter of bank. It allowed to perform necessary works in the shortest possible time — process took only seven days. The St. Petersburg bank is going to carry out the analysis of security of the application quarterly, and in the short term — to implement the complete solution of the Application Security direction — Rami Muleys, the promotions manager of PT Application Inspector of Positive Technologies company told.