The CSS has checked the security of the software of the investment service "Bank Sinara"

2024: Software Security Check

UTSB has checked the security of the software of the investment service of the Bank of Sinar. The UTSB announced this on April 16, 2024.

According to Bank of Russia Regulation No. 683-P "On the Establishment of Mandatory Requirements for Credit Institutions to Ensure Information Protection in Banking Activities in Order to Counteract Money Transfers without Customer's Consent," credit institutions must ensure that the software of automated systems and applications is evaluated at least below the fourth assessment level of confidence (OUD4). One of the effective ways to ensure a high level of information security is expert analysis of software security and assessment of its compliance with regulatory requirements. Such tasks are solved by the UTSB Cybersecurity Center, a company with 16 years of experience in the field of information security.

At the first stage of software analysis, the USCS team conducted interviews with service developers and employees of the information security service of Bank Sinara. This made it possible to determine the entry points into the study, software to assess the safety functions and development processes. Further, the center's experts began to assess in order to establish the presence of potential vulnerabilities - they performed a comprehensive security analysis, which included both source code research and penetration testing. In parallel, the CSS team developed a set of documentation for the software being evaluated. The completion of the project was the preparation of an expert opinion for compliance with the OUD4.

{{quote "One of the features of the project is the microservice software architecture. This approach to product development allows you to flexibly manage the software architecture, its functionality, and make local updates. But for security analysis, this brings additional difficulties. Each service requires a separate study, verification of certificates and protocols. When assessing security, some nuances of software security were identified that affect the functioning of the service. The product developers quickly eliminated the identified shortcomings, - said Evgeny Todyshev, head of the Secure development Department of the UTSB. }}

As a result of the assessment of the security for compliance with the OUD4, Sinara Investments software confirmed the high level of security of customer data.

Thanks to cooperation with the UTSB, we received a comprehensive assessment of the information security of our product and a competent conclusion on its compliance with the OUD4. The work on the project was carried out promptly, we received the conclusion and documentation for the software on time - this allowed us to timely ensure regulatory and business requirements, and to release a new functional and secure investment service for clients, - said Denis Uleiko, Director of the Information Security Department of the Security Directorate of Sinara Bank.

The audit of the processes of development and assessment of the security of the developed software is one of the directions of the Center for Cybersecurity of the CSS. Team expertise allows you to perform the entire range of work on the analysis of the security of software products: identify security threats and prepare recommendations for their elimination, provide conclusions and documentation in accordance with all regulatory requirements.