A Risk Assessment Framework Helps ICICI Bank Secure its Applications
ICICI Bank has around 550 bank applications and security checks would take up to 15 days. The Group CIO envisioned and rolled out an application security framework that eased many of their problems.
Team CIO Nov 18th 2009 A-A+

Summary:

CIO 100 Winner: ICICI Bank has around 550 bank applications and security checks would take upto 15 days. The Group CIO however envisioned and rolled out an application security framework and program that eased many of their problems.

Highlights:

  • The framework prioritized applications for various levels of testing and the workflow coordinated 300 security tests and their re-tests.
  • The project cost Rs 45 lakh but ensures that the bank’s applications are more reliable from a security standpoint.

Reader ROI:

  • How to overcome application vulnerabilities
  • Importance of automated scanners Vs manual testing

With about a million customers, ICICI Bank manages close to Rs 50,000 crore in assets. A lot of that money is processed by about 550 bank applications that both its customers and about 10,000 of the bank's employees use. However, it was not always clear how open to vulnerabilities these applications were. It was not a state of affairs, the bank wanted to continue. "The bank wanted a high level of assurance for all its applications," says Pravir Vohra, Group CTO, ICICI Bank, "Within 18 months."

“This project has successfully tested over 300 core applications and significantly reduced our risk exposure."

The problem is traditional application security testing takes between 10 to 15 days to do. "At that speed, it wouldn't have been possible to cover the entire bank's applications in 18 months," recalls Vohra.

He needed to get organized if his vendor was to cover all those security tests within deadline. To start off, 300 applications were shortlisted as high-priority cases. Then, to meet the 18-month deadline, Vohra and his team created a multi-pronged strategy. Crucial to their approach was a customized application risk assessment framework and a workflow.

The framework prioritized applications for various levels of testing and the workflow coordinated 300 security tests and their re-tests. Vohra says it helped reduce the lead time to start a test from three-to-six weeks to two to five days.

He also invested in an automated scanner, which cut the time wasted in doing manual testing for simpler flaws, and negotiated with his vendor for better prices given the large number of tests.

What also helped quicken the process was simpler, standardized reporting templates, which people understood and could act upon. To help manage the project, his team used a dashboard which gave executives a snapshot of the security posture of any application and showed progress.

“This project has successfully tested over 300 core applications and significantly reduced our risk exposure."

Despite all the planning, the job wasn't easy. "Testing and fixing a wide range of application platforms was a significant technical challenge. The sheer breadth of the platforms was a huge challenge," says Vohra.

The project cost Rs 45 lakh but ensures that the bank's applications are more reliable from a security standpoint. It also reduced the cost of security testing by a third.

A Risk Assessment Framework Helps ICICI Bank Secure its Applications
ICICI Bank has around 550 bank applications and security checks would take up to 15 days. The Group CIO envisioned and rolled out an application security framework that eased many of their problems.
Team CIO

Summary:

CIO 100 Winner: ICICI Bank has around 550 bank applications and security checks would take upto 15 days. The Group CIO however envisioned and rolled out an application security framework and program that eased many of their problems.

Highlights:

  • The framework prioritized applications for various levels of testing and the workflow coordinated 300 security tests and their re-tests.
  • The project cost Rs 45 lakh but ensures that the bank’s applications are more reliable from a security standpoint.

Reader ROI:

  • How to overcome application vulnerabilities
  • Importance of automated scanners Vs manual testing

With about a million customers, ICICI Bank manages close to Rs 50,000 crore in assets. A lot of that money is processed by about 550 bank applications that both its customers and about 10,000 of the bank's employees use. However, it was not always clear how open to vulnerabilities these applications were. It was not a state of affairs, the bank wanted to continue. "The bank wanted a high level of assurance for all its applications," says Pravir Vohra, Group CTO, ICICI Bank, "Within 18 months."

“This project has successfully tested over 300 core applications and significantly reduced our risk exposure."

The problem is traditional application security testing takes between 10 to 15 days to do. "At that speed, it wouldn't have been possible to cover the entire bank's applications in 18 months," recalls Vohra.

He needed to get organized if his vendor was to cover all those security tests within deadline. To start off, 300 applications were shortlisted as high-priority cases. Then, to meet the 18-month deadline, Vohra and his team created a multi-pronged strategy. Crucial to their approach was a customized application risk assessment framework and a workflow.

The framework prioritized applications for various levels of testing and the workflow coordinated 300 security tests and their re-tests. Vohra says it helped reduce the lead time to start a test from three-to-six weeks to two to five days.

He also invested in an automated scanner, which cut the time wasted in doing manual testing for simpler flaws, and negotiated with his vendor for better prices given the large number of tests.

What also helped quicken the process was simpler, standardized reporting templates, which people understood and could act upon. To help manage the project, his team used a dashboard which gave executives a snapshot of the security posture of any application and showed progress.

“This project has successfully tested over 300 core applications and significantly reduced our risk exposure."

Despite all the planning, the job wasn't easy. "Testing and fixing a wide range of application platforms was a significant technical challenge. The sheer breadth of the platforms was a huge challenge," says Vohra.

The project cost Rs 45 lakh but ensures that the bank's applications are more reliable from a security standpoint. It also reduced the cost of security testing by a third.