Case study

Novagalicia secures critical

applications with HP Fortify
Spanish bank values accuracy, ease of use, flexibility,
and speed of cloud-based solution
Industry
Financial services
Objective
Quickly and accurately assess the security of
diverse applications resulting from a recent merger
Approach
Deploy the HP Fortify on Demand
security-as-a-service testing solution
IT matters
Rapidly analyzes code written in a large number
of programming languages
Provides line of codelevel detail with suggestions
on how to remediate vulnerabilities
Increases security awareness of the
development staff
Business matters
Enhances compliance posture for internal
and external audit, including PCI
Enables the bank to start small and grow as
required to meet business requirements
Cloud-based model eliminates the need
to invest in dedicated hardware and
software for application security

HP Fortify on Demand not only helps us improve

application quality in terms of security, it also increases
our developers awareness of security issues and use of
best practicesa key component of PCI compliance.
Roberto Baratta, CISO, Novagalicia Banco

Strong code analysis solution

Two years ago Novagalicia Bancothe trading name ofNCG
Banco, S.A., aSpanishbank based inGaliciawas created as
the result of a merger between Caixanova and Caixagalicia
savings banks. For CISO Roberto Baratta, it was dj vu all
over again. A security professional with more than 11 years
experience in the financial services industry, Baratta had been
through many such mergers. He knew that trying to assess
and improve the security of the discrete applications coming
from myriad sources would be a daunting task. After evaluating
multiple options, Baratta chose the security-as-a-service
(SaaS) testing solution HP Fortify on Demand to handle the job.

Case study | Novagalicia Banco

The IT department performed a rapid

integration over the course of six to eight
months. One of the main challenges in
integrating the IT systems of the two different
companies was to rationalize all the legacy,
new, third-party, and in-house applications.
Baratta knew the first steps were to identify
the scope of the applications, collect pertinent
information, and test the level of security in
the code. Going forward, Novagalicia Banco
will extend the access and authorization
control to all applications.
The way forward
In its exercise of due diligence, the bank
designed a comprehensive proof of concept
(PoC) to check a piece of two applications:
the corporate website and online banking.
Three different vendors were asked to
explain and demonstrate their solutions and
perform a real analysis on-premise. The
PoC made it clear that HP Fortify on Demand
would meet the banks requirements very
well in terms of usability and accuracy. The
capacity and flexibility of the HP solution also
stood out: Some of our needs were based
on personalized flavors of programming
environment, such as Java, Baratta says.
HP Fortify on Demand was able to analyze
all of this code with minimal adaptation.
The large number of programming languages
supported by HP Fortify on Demand is a key
benefit for Novagalicia Banco.

The bank has already started running ad

hoc analyses on the source code of its
approximately 400 applications, starting
with critical areas such as mobile banking,
e-banking, payment gateways, corporate
websites, and wire transfer. Once this
assessment is complete, Baratta and his
team will meet with the development groups
to agree on specific application security and
code quality goals. We will plan an application
source code review for each new development,
or significant update of current applications,
before going into production, he says. This
includes extending the scope of the kind and
number of applications scanned, including
financial and department applications.
Over time, HP Fortify on Demand will be fully
integrated into the software development
lifecycle, such that programmers can use the
solution as part of their daily routine. Once it
has been implemented into the developers
desktop environment, we will increase the
awareness of secure design and programming,
and involve the development teams more in
security by design processes, says Baratta.
Novagalicia Banco also plans to require thirdparty code providers to scan their applications
for possible vulnerabilities.

Case study | Novagalicia Banco

Key benefits
Of the many important benefits that HP Fortify
on Demand provides for Novagalicia Banco,
one of the most important is a function of the
solutions SaaS model. We use the solution
as an automated, on-demand service, and
we love it, says Baratta. The security-as-aservice approach was a very important factor
when we were considering our alternatives.
In evaluating various solutions, we found the
quality of service to be really impressive with
HP Fortify on Demand.
The SaaS model gives Novagalicia Banco the
flexibility to start in a very focused manner
and grow as necessary, without making
a dedicated investment in hardware and
software. It is perfect for us, continues
Baratta. We are starting small; however,
we fully expect to incorporate HP Fortify on
Demand as an integral part of the lifecycle
design. In the future we may even implement
the functionality on-premise, but for now,
the flexibility of the SaaS model is very
valuable to us. Baratta adds that HP Fortify
on Demand drives productivity enhancement
for Novagalicia Banco by reducing the amount
of supervision related to application logs
and controls.
On-premise HP security experts effectively
augment Barattas in-house resources in all
phases of the project. The most valuable
service they provide is to correct and simplify
the reports, says Baratta. This gives us a
human expert view that makes it possible
to reduce the time and effort we need for
interpretation of the results. HP Services
also supports several business processes
for the company, including the help desk,
business process outsourcing, and the
Security Operations Center. Adds Baratta,
HP is a critical partner for Novagalicia Banco.

Focus on application security

HP Fortify on Demand plays a key role
in compliance, as well. We always try to
demonstrate value to the business with any
project we undertake, says Baratta. When
we started to evaluate application security
solutions, we realized that a significant valueadd would be enhanced compliance with
internal and external audits, including Payment
Card Industry (PCI) requirements. HP Fortify on
Demand not only helps us improve application
quality in terms of security, it also increases
our developers awareness of security issues
and use of best practicesa key component
of PCI compliance. The solution has definitely
increased our level of compliance in PCI and
other requirements.
Baratta has found HP Fortify on Demand
very easy to use. We work with the different
development groups to create a calendar for
uploading the code, he explains. Then we
schedule meetings in which my staff and the
developers perform the analysis. It is a very
collaborative process: They submit the code
together, and they review the results together.
My staff is really happy with this solution.
Assessments are delivered in a report
featuring a consistent five-star rating system,
typically in one day. Results are correlated and
prioritized by severity and exploitability. Issues
identified include line of codelevel detail
with suggestions on how to remediate the
vulnerabilities that are detected.

Case study | Novagalicia Banco

Customer solution
at a glance
Solution
HP Fortify on Demand
HP services
On-premise staff augmentation

Sign up for updates

hp.com/go/getupdated

HP Fortify on Demand has already resulted in

a positive impact on the overall organization.
The quality of applications has increased,
with fewer errors and less need for support.
Barattas assessment also shows a reduction
in information and technology risk across the
banks application environment.

Learn more at
hpenterprisesecurity.com

As the threat landscape continues to evolve

and change, so too does the area of focus for
Novagalicia Banco and similar institutions.
In the past we fought at the perimeter, and
we are still fighting there, concludes Baratta.
But the main concern now is application
security. The number and complexity of
applications has increased significantly in the
last few years, as we strive to quickly deliver
new services to our customers. This is clearly
an area of vulnerability. I feel very comfortable
that HP Fortify on Demand can help us counter
this growing threat effectivelyand, with no
hardware or software to deploy or maintain,
quite affordably.

Share with colleagues

Rate this document

Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only
warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein
should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

4AA4-6609ENUS, July 2013