Major National Bank Achieves Software Quality and Secure Coding Concurrently through SPARROW
Expansion in electronic financial services requires advancement in software quality and secure coding
Report from the Financial Supervisory Service in 2012 states that half of the financial data processing errors were caused while modifying the program. For businesses related handling of financial transactions, the quality assurance of the software for the IT service is more important than in any other businesses. Furthermore, recently there are continuous and new means of cyber terror threats and in result, businesses are demanding security reinforcement through secure coding.
As the bank started to offer more diverse products and the workload got larger, they found limitations in relying on manpower to test development of software for the IT service. The bank found the necessity of detecting and removing potential SW vulnerabilities in outsourced programs of cooperative firms and all internally developing programs through a source code analyzer to strengthen automated quality testing and acquire security verification with secure coding.
Standards, performance and supporting systems of the source code analyzer
The bank selected the product SPARROW of Fasoo which has received praise for its detection performance and supporting system from a benchmarking test (BMT). SPARROW offers a semantic-based analysis, and shows great performance in detecting critical and hidden run-time errors. SPARROW not only follows development security guidelines from the Ministry of Security and Public Administration (MOSPA), but also international standard guidelines such as OWASP and CERT, and recently acquired the CWE certification for the first time in Korea. SPARROW was acknowledged for its ability to minimize security vulnerabilities set by these international standards. Currently, members from the biggest Korean research lab in the area of static analysis, Research on Software Error-free Computing Center of Seoul National University, are part of the team, committed in consulting and providing technical support.
Applied to all development work of the IT Department
For a successful integration, it was important to make the source code testing process smooth when developing, maintaining and operating various programs by more than 1,000 employees of the bank’s IT Department.
Developers check their source code frequently through the client analyzing manager and IDE plug-ins, and the person in charge of the quality manages the gathered analysis reports from the central manage system to ensure quality and security in the early developmental stage of the SDLC.
Furthermore, they have a development process that includes a configuration management system when developing a project with the cooperation of many developers. They create a workflow by linking the SPARROW analysis server and the configuration management system. Only source code verified by SPARROW is allowed to be transferred to the main server.
SPARROW composes of a deep source code analysis engine, a manager (Whistle) that performs analysis in the client, a plug-in that performs analysis in the IDE, and a central system NEST that gathers and manages the analysis results. Each module can easily be applied to different development environments anywhere in the SDLC.
Change central system to a combination of management and operation
Developed a central unified management system to inspect more than 100 project source codes from the bank’s IT Department that are split in developer or module scale. SPARROW’s unified management system NEST is an efficient web based system that inspects the quality and security of different business units and shows a statistical analysis of the result so that the present state of projects can easily be understood.
For work that requires more control, developers and checker groups can be set separately, and access privilege for each project can be controlled, overall enabling systematic management for the entire enterprise. Furthermore, efficiency was increased by tracking previous errors and making sure same errors do not appear twice.
It was important for them to develop a long-term standard system to manage source code from different developers. Before transferring to a different system, source code testing was mandatory and a subdivided standard system was also developed for continuous management and control.
Acquire quality and security together
International Internet security institution, CERT, released the ‘Top 10 Secure Coding Practices’, and the 9th guideline states to ‘Use effective quality assurance techniques’ for greater IT service quality improvement, as it is required to improve both quality and security.
The bank’s use of SPARROW will change the domestic financial IT service to acquiring both quality and security. Ultimately, SPARROW will upgrade the quality of all financial IT services.
From the Customer
“Since detection of run-time errors and security vulnerabilities is clearly evident, SPARROW is able to earn a justifiable reason to be used as a static application security testing tool and successfully be integrated into our systems.”
“After actually using the tool, the biggest advantage was that systematic management was possible through the analysis tool. The detected errors are divided into 5 levels: level 1 has errors that are certainly going to produce a problem, level 2 has errors that might produce unexpected results, and level 3 has errors that are recommended to be changed for maintenance and efficiency. This helps us to get rid of vulnerabilities and manage clean source code”
“We made a coding standard for us and customized SPARROW to suit the coding standard. Rule sets are delivered to developers by a centralized system, all developers used SPARROW on their own for identifying and managing SW vulnerabilities according to the corresponding rule set. The analysis is performed on IDE with the SPARROW plug-in or on build servers with command line scripts. The configuration management system is integrated with SPARROW for controlling the quality and security level of the source code. Only source code which has no SW vulnerability issues or which is granted by the QA manager can be transferred into the central server.”
“The most important factor to select a tool on BMT with various products is finding SW vulnerabilities accurately. Finding many issues with low false positive ratio is essential. Secondly, is finding SW defects which our QA departments want to find and identifying SW security vulnerabilities all in one tool. Thirdly, the analysis tool has to be easily integrated into the developer environments without modification and the analysis speed should equally as fast. Furthermore, the remediation guide for handling issues should be understandable. Lastly, we require robust control on quality and security level of source code for each project. Statistics and audit on each SW project are required.”
“It was useful to manage exceptions separately when transferring source code from the configuration management system to the operating server. We expect to use the statistical data from each team to increase quality and security of development in the SDLC. We also believe that the developing workforce will realize the importance of quality and security and bring overall improvement into both of these areas.”
– Manager, Quality Management Department-
About the bank
For the past 50 years, this bank has promoted educational supported projects, financial/credit businesses, and economic businesses to stimulate and provide balance for Korean’s agriculture and national economy. They have the largest financial network and one of the leading financial institutions in Korea.