Bank wants more software security scrutiny

The National Australia Bank (NAB) has delivered a scathing report on the insecurity of enterprise software, including that provided by information security vendors themselves.

Share

The National Australia Bank (NAB) has delivered a scathing report on the insecurity of enterprise software, including that provided by information security vendors themselves.

The bank established a technology risk and security team more than two years ago, and Gary Blair, who heads the unit, said that his team had so far reported 48 serious defects to software vendors.

Presenting at this year's Gartner IT Security Summit in Sydney, Blair said, ""I would like to have a basis for not talking to you today, but two defect reports a month is too large."

"We believe the research focuses elsewhere. Most security research for commercial software is done in the consumer space. We don't believe there is enough focus on enterprise software. It may have been sufficient in the past but not any more."

Blair said most of the discovered vulnerabilities related to privilege escalation and authentication bypass mechanisms, with SQL injection attacks also prominent.

Blair said serious attacks were moving up the solution stack making network layer defences necessary. He said data was becoming the primary target and serious attacks by well-resourced criminal gangs were a big worry.

NAB has now published its own reports on enterprise security architecture and patterns, secure code standards, secure code reviews, and security training for architects and designers.

Blair said security auditing is difficult to do with vendor products since the bank has little or no control over security in third-party products, but said the vendors were opening up.

"Some are more than happy to talk about defects, and some grudgingly accept them and see how their own code can be improved," he said.

Find your next job with computerworld UK jobs