DTCC’s Software Security Program and Leadership are Recognized as World Class
DTCC’s software security program has been recognized as a world-class leader, providing several key elements of the first software security “yardstick,” according to an independent assessment from Fortify Software, the market leader in software security assurance solutions, and Cigital, the largest consulting firm specializing in software security.
In their benchmarking report released last week, Building Security In Maturity Model (BSIMM), Cigital and Fortify Software created the first-ever scientific observation of common domains and activities for developing an enterprise-wide software security initiative. Based on interviews with technology leaders such as DTCC, Adobe, EMC, Google and Microsoft, among others, the BSIMM report provides real-world insight on how organizations successfully build security into software and mitigate the business risk associated with insecure applications.
‘A business imperative’
DTCC’s four-year-old software security program, recognized by the authors of the study as one of the most advanced in the world, applies rigorous strategy and metrics, training, standards and requirements for security testing and code review.
“The industry puts its trust in DTCC to clear and settle more than $1.88 quadrillion annually in securities transactions, and the stability of the financial system depends on our ability to deliver,” said William Aimetti, DTCC’s president and COO. “For us, software security is not a ‘nice to have’ but an absolute business imperative that our customers demand. With the sheer volumes and values of transactions we process and the central role we play in the financial services industry, customers need the assurance and confidence that the technology products we offer are, above all, rock-solid and secure.”
Leveraging CMMI
This is not the first recognition of DTCC’s best practices in information technology. Last fall, DTCC was appraised at Capability Maturity Model Integration (CMMI) Level 3, the only U.S. financial services organization to have achieved this rating across its entire enterprise.
CMMI, an internationally recognized assessment from the Software Engineering Institute (SEI) of Carnegie Mellon University, is a measure of excellence in improving organizational processes. In combination with DTCC’s software security program, CMMI Level 3 gives an extremely disciplined approach to embed and enforce software security controls, whether it is custom code written by DTCC developers, or software purchased “off the shelf” and adapted for use.
“As one example of how we’ve incorporated CMMI Level 3 into software security, we now ‘front-end load’ by rigorously checking for vulnerabilities early in the code development lifecycle, rather than rely on penetration testing at the end and fixing defects after code is in production,” said James Routh, DTCC’s chief information security officer. “This has significant economic benefit in terms of productivity saved – and risk mitigation for customers.”
“We were pleased to share our experience, insights and best practices with the thought leaders at Cigital and Fortify Software,” Aimetti continued. “Their recognition of our software security program is a testament to the hard work and talent of our team of IT professionals.”
The BSIMM report from Fortify Software and Cigital is available at http://bsi-mm.com. @