• Press Room
  • Press Releases
    • 2010
    • 2009
    • 2008
    • 2007
    • 2006
    • 2005
    • 2004
    • 2003
    • 2002
    • 2001
    • 2000
    • 1999
  • Media Contacts
• Newsletters

News Center

Press Room

DTCC’s Software Security Program and Leadership Recognized As World-Class

New York, March 18, 2009 – The Depository Trust & Clearing Corporation's (DTCC) software security program has been recognized as a world-class leader, providing several key elements of the first software security "yardstick," according to an independent assessment from Fortify Software, the market leader in software security assurance solutions, and Cigital, the largest consulting firm specializing in software security.

In their benchmarking report released last week, "Building Security In Maturity Model (BSIMM)," Cigital and Fortify Software created the first-ever scientific observation of common domains and activities for developing an enterprise-wide software security initiative. Based on interviews with technology leaders such as DTCC, Adobe, EMC, Google and Microsoft, among others, the BSIMM report provides real-world insight into how organizations successfully build security into software and mitigate the business risk associated with insecure applications.

DTCC's four-year old software security program, recognized by the authors of the study as one of the most advanced in the world, applies rigorous strategy and measurements, training, standards and requirements for security testing and code review.

"The industry puts its trust in DTCC to clear and settle more than $1.88 quadrillion in securities transactions, and the stability of the financial system depends on our ability to deliver," said William B. Aimetti, DTCC's president and chief operating officer. "For us, software security is not a 'nice to have,' but an absolute business imperative that our customers demand. With the sheer volumes and values of transactions we process and the central role we play in the financial services industry, customers need the assurance and confidence that the technology products we offer are, above all, rock-solid and secure."

This is not the first recognition of DTCC's best-practices in IT. Last fall, DTCC was appraised at a Capability Maturity Model® Integration (CMMI®) Level 3, the only U.S. financial services organization to have achieved this rating across its entire enterprise. CMMI, an internationally-recognized assessment from the Software Engineering Institute (SEI) of Carnegie Mellon University, is a measure of excellence in improving organizational processes. In combination with DTCC's software security program, CMMI Level 3 provides a highly disciplined approach to embed and enforce software security controls, whether it is custom code written by DTCC developers, or software purchased "off the shelf" and adapted for use.

"As one example of how we've incorporated CMMI Level 3 into software security, we now 'front-end load' by rigorously checking for vulnerabilities early in the code development lifecycle, rather than rely on penetration testing at the end and fixing defects after code is in production," said James Routh, DTCC's chief information security officer. "This has significant economic benefit in terms of productivity saved — and risk mitigation for customers."

"We were pleased to share our experience, insights and best-practices with the thought leaders at Cigital and Fortify Software," Aimetti continued. "Their recognition of our software security program is a testament to the hard work and talent of our team of IT professionals."

The BSIMM report from Fortify Software and Cigital is available under creative commons license here: http://bsi-mm.com.

About DTCC

The Depository Trust & Clearing Corporation (DTCC), through its subsidiaries, provides clearance, settlement and information services for equities, corporate and municipal bonds, government and mortgage-backed securities, money market instruments and over-the-counter derivatives. In addition, DTCC is a leading processor of mutual funds and insurance transactions, linking funds and carriers with financial firms and third parties who market these products. DTCC's depository provides custody and asset servicing for more than 3.5 million securities issues from the United States and 117 other countries and territories, valued at $27.6 trillion. Last year, DTCC settled more than $1.88 quadrillion in securities transactions. DTCC has operating facilities in multiple locations in the United States and overseas.