A Risk Assessment Framework Helps ICICI Bank Secure its Applications

The problem is traditional application security testing takes between 10 to 15 days to do. "At that speed, it wouldn't have been possible to cover the entire bank's applications in 18 months," recalls Vohra.

He needed to get organized if his vendor was to cover all those security tests within deadline. To start off, 300 applications were shortlisted as high-priority cases. Then, to meet the 18-month deadline, Vohra and his team created a multi-pronged strategy. Crucial to their approach was a customized application risk assessment framework and a workflow.

The framework prioritized applications for various levels of testing and the workflow coordinated 300 security tests and their re-tests. Vohra says it helped reduce the lead time to start a test from three-to-six weeks to two to five days.

He also invested in an automated scanner, which cut the time wasted in doing manual testing for simpler flaws, and negotiated with his vendor for better prices given the large number of tests.

What also helped quicken the process was simpler, standardized reporting templates, which people understood and could act upon. To help manage the project, his team used a dashboard which gave executives a snapshot of the security posture of any application and showed progress.

Despite all the planning, the job wasn't easy. "Testing and fixing a wide range of application platforms was a significant technical challenge. The sheer breadth of the platforms was a huge challenge," says Vohra.

The project cost Rs 45 lakh but ensures that the bank's applications are more reliable from a security standpoint. It also reduced the cost of security testing by a third.

The Person Behind It

Pravir Vohra

Group CTO, ICICI Bank

“This project has successfully tested over 300 core applications and significantly reduced our risk exposure."