Customer stories

Major Credit Group

Fortify strengthens cyber resilience in preparation for DORA introduction while reducing code vulnerabilities by 50% and boosting vendor collaboration

Products and services

OpenText™ Fortify™

Outcomes

Full DORA compliance
50% reduction in code vulnerabilities
Improved vendor collaboration through simplified process to accept external software
Flexible deployment suits the credit group’s business model
‘Security by design’ principle strengthens cyber resilience

Challenge

Prepare banking client for new financial regulation compliance requirements while simplifying the process of introducing external software.

Details

Introduction of DORA presents new challenges

All financial industry participants already need to comply with many regulatory requirements. Within the European Union (EU), this has recently been expanded to include the Digital Operational Resilience Act (DORA). This promotes Europe-wide convergence on the requirements financial institutions must adopt to raise the security of their digital systems. As part of it, financial entities need to conduct vulnerability assessments before introducing or re-introducing new or existing services. They also are required to test all critical applications and systems at least once a year.

A major credit group needed to integrate appropriate testing tools within its software development cycle to increase the level of resilience of its software solutions and prepare for DORA compliance. The credit group turned to its trusted partner, Join Business Management Consulting. This strategy and management consulting firm is ranked among the fastest-growing companies in Europe by the Financial Times and Il Sole 24 Ore. “We initially carried out a market analysis to identify the solutions that met the client’s requirements, such as the need to introduce static code analysis mechanisms within the application lifecycle,” explains Maurizio Garofalo, Head of the Risk, Compliance and Cybersecurity Practice at Join Business Management Consulting.

We consider the adoption of the ‘security by design’ principle in our software lifecycle management a building block of our cyber resilience strategy. Fortify has proved to be the ideal technology partner for this in terms of depth, breadth, and precision of vulnerability analysis, DevOps integration, and service model flexibility.

Chief Information Security Officer
Major Credit Group

Fortify exceeds expectations compared to alternatives

Garofalo continues: “We identified Fortify as the best solution for the credit group’s needs. In fact, in addition to the criteria we determined with the client, Fortify outshone other solutions in a number of ways. First of all, we like the superior level of reliability and rich functionality that comes from being an established solution, recognized as market leader by leading analysts: Gartner, Forrester, IDC, and G2. We also appreciated the broad language support and the opportunity to use Fortify both in an on-premises mode for easy inclusion in the development cycle infrastructure, or as a flexible service in the cloud, more suitable for our client’s software partners. These benefits came at a similar cost to that of far less performant solutions.”

Fortify is the inclusive and extendible suite of application security solutions with two decades of experience and continuous improvement. Fortify solutions enable end-to-end application lifecycle management by providing static code testing through its static application security testing (SAST) module, dynamic code testing with its dynamic application security testing (DAST) module, and software composition analysis (SCA) to ensure the security of any open source code components that are used. Using sophisticated artificial intelligence (AI) technology, Fortify allows automated security checks to be performed on code as it is written, suggesting changes required to ensure the code is as robust as possible. “The level of protection provided by Fortify facilitates DevSecOps development models and regulatory compliance in multiple areas, including the financial sector,” comments Garofalo.

Full DORA compliance and improved vendor collaboration

The start of the project involved Fortify on Demand, providing application security as a service without the need for additional infrastructure or resources. This is particularly valuable to validate software from external or commercial vendors, often small software companies specializing in banking solutions. The credit group cannot share its source code with external vendors, as it is protected by intellectual property law, nor can it accept code that hasn’t been checked according to its own software development standards. However, leveraging Fortify on Demand, the credit group can offer external vendors access to application testing via a code security scan. This allows the credit group to obtain an independent security certification to ensure that the security of the software conforms with its requirements.

The credit group leverages Fortify’s on-premises solution within its three in-house development factories where pre-defined languages are used. The first factory focuses on the development of home banking applications and its related apps for mobile access. The second factory develops the core applications for the group’s information system that manages communication between its 180 branch offices. The third factory develops the software used to create debit, credit, and pre-paid cards. “The Fortify hybrid deployment model, with on-demand and on-premises capabilities, is central to all software development at the credit group by ensuring that every code component is checked and corrected on the fly before it goes into production,” explains Garofalo.

50% reduction in code vulnerabilities and 15 critical applications successfully implemented

The introduction of Fortify led to the successful and seamless implementation of 15 business-critical applications, including both developed code and Open Source components. Following the Fortify process, 100 percent of new software releases are secured and certified against the Open Source foundation for application security (OWASP) top 10, as well as sysadmin, audit, network and security (SANS) top 25 standards. The credit group has identified a 50 percent reduction in code vulnerabilities associated with its developers’ higher level of security awareness through the introduction of Fortify and a gamified training program. The credit group’s CISO comments: “We consider the adoption of the ‘security by design’ principle in our software lifecycle management a building block of our cyber resilience strategy. Fortify has proved to be the ideal technology partner for this in terms of depth, breadth, and precision of vulnerability analysis, DevOps integration, and service model flexibility.”

Garofalo concludes: “The credit group is delighted with Fortify’s ability to strengthen application development security, eliminate code vulnerabilities, and comply with DORA regulations. It also leverages the Voltage SecureData Payments by OpenText solution to ensure payment data encryption.

This simplifies PCI compliance and protects clients’ credit card data in e-commerce applications, as well as web and mobile payments. Given the success of both Voltage and Fortify, the credit group is considering integrating the two to provide further value.”

Fortify is central to all software development at the credit
group by ensuring every code component is checked
and corrected on the fly before it goes into production.

Maurizio Garofalo
Head of the Risk, Compliance and Cybersecurity Practice, Join Business Management Consulting

About Major Credit Group

A major credit group needed to integrate appropriate testing tools within its software development cycle to increase the level of resilience of its software solutions and prepare for DORA compliance.

Aviator AIAviator AI

Analytics CloudAnalytics Cloud

Data Lakehouse & AnalyticsData Lakehouse & Analytics

BI, Visualization & ReportingBI, Visualization & Reporting

eDiscovery with AIeDiscovery with AI

OpenText™ Aviator Search

Business Network CloudBusiness Network Cloud

Supply Chain AutomationSupply Chain Automation

B2B IntegrationB2B Integration

Secure CollaborationSecure Collaboration

Supply Chain TraceabilitySupply Chain Traceability

Supply Chain InsightsSupply Chain Insights

Industry Applications and ServicesIndustry Applications and Services

OpenText™ Business Network Aviator

Content CloudContent Cloud

Document ManagementDocument Management

AI Content ManagementAI Content Management

Capture and Intelligent Document ProcessingCapture and Intelligent Document Processing

Process AutomationProcess Automation

Business IntegrationsBusiness Integrations

Information ArchivingInformation Archiving

Industry SolutionsIndustry Solutions

Information GovernanceInformation Governance

OpenText™ Content Aviator

Cybersecurity CloudCybersecurity Cloud

Application Security TestingApplication Security Testing

Data SecurityData Security

Security OperationsSecurity Operations

Identity and Access ManagementIdentity and Access Management

Digital Forensics and Incident ResponseDigital Forensics and Incident Response

OpenText™ Cybersecurity Aviator

DevOps CloudDevOps Cloud

DevOps PlatformDevOps Platform

Functional TestingFunctional Testing

PPM and Strategic Portfolio ManagementPPM and Strategic Portfolio Management

Quality ManagementQuality Management

Performance EngineeringPerformance Engineering

OpenText™ DevOps Aviator

Experience CloudExperience Cloud

Web & Mobile ExperiencesWeb & Mobile Experiences

Contact Center AnalyticsContact Center Analytics

Messaging & FaxMessaging & Fax

Customer CommunicationsCustomer Communications

Digital Asset ManagementDigital Asset Management

Customer Journey and DataCustomer Journey and Data

OpenText™ Experience Aviator

Observability and Service Management CloudObservability and Service Management Cloud

Service ManagementService Management

ObservabilityObservability

AIOpsAIOps

Automation and Vulnerability RemediationAutomation and Vulnerability Remediation

CMDB and Asset ManagementCMDB and Asset Management

OpenText™ Service Management Aviator

OpenText™ ThrustOpenText™ Thrust

OpenText™ Thrust bundleOpenText™ Thrust bundle

OpenText™ Aviator Thrust

Device and Data ProtectionDevice and Data Protection

Enterprise Data Backup and Disaster Recovery SolutionsEnterprise Data Backup and Disaster Recovery Solutions

Unified Endpoint Management ToolsUnified Endpoint Management Tools

Hybrid Work, Email, and Team Collaboration Hybrid Work, Email, and Team Collaboration

Email Archiving, E-Discovery, Data Archiving ComplianceEmail Archiving, E-Discovery, Data Archiving Compliance

Connectivity and Document ManagementConnectivity and Document Management

Information reimaginedInformation reimagined

Artificial IntelligenceArtificial Intelligence

IndustryIndustry

Enterprise ApplicationsEnterprise Applications

Your journey to successYour journey to success

Customer SupportCustomer Support

Customer Success ServicesCustomer Success Services

Consulting ServicesConsulting Services

Cloud MigrationCloud Migration

NextGen ServicesNextGen Services

Latest product releasesLatest product releases

Learning ServicesLearning Services

Managed ServicesManaged Services

Find an OpenText PartnerFind an OpenText Partner

Find a Partner SolutionFind a Partner Solution

Grow as a PartnerGrow as a Partner

Become a Partner

Resource libraryResource library

Aviator AI

Analytics Cloud

Data Lakehouse & Analytics

BI, Visualization & Reporting

eDiscovery with AI

Business Network Cloud

Supply Chain Automation

B2B Integration

Secure Collaboration

Supply Chain Traceability

Supply Chain Insights

Industry Applications and Services

Content Cloud

Document Management

AI Content Management

Capture and Intelligent Document Processing

Process Automation

Business Integrations

Information Archiving

Industry Solutions

Information Governance

Cybersecurity Cloud

Application Security Testing

Data Security

Security Operations

Identity and Access Management

Digital Forensics and Incident Response

DevOps Cloud

DevOps Platform

Functional Testing

PPM and Strategic Portfolio Management

Quality Management

Performance Engineering

Experience Cloud

Web & Mobile Experiences

Contact Center Analytics

Messaging & Fax

Customer Communications

Digital Asset Management

Customer Journey and Data

Observability and Service Management Cloud

Service Management

Observability

AIOps

Automation and Vulnerability Remediation

CMDB and Asset Management

OpenText™ Thrust

OpenText™ Thrust bundle

Device and Data Protection

Enterprise Data Backup and Disaster Recovery Solutions

Unified Endpoint Management Tools

Hybrid Work, Email, and Team Collaboration

Email Archiving, E-Discovery, Data Archiving Compliance

Connectivity and Document Management

Information reimagined

Artificial Intelligence

Industry

Enterprise Applications

Your journey to success

Customer Support

Customer Success Services

Consulting Services

Cloud Migration

NextGen Services

Latest product releases

Learning Services

Managed Services

Find an OpenText Partner

Find a Partner Solution

Grow as a Partner

Resource library

Blogs

Events

Communities

Customer stories

OpenText Navigator

Marketplace

Fortify is central to all software development at the credit
group by ensuring every code component is checked
and corrected on the fly before it goes into production.