Providing pragmatic cybersecurity advice to ensure security principles are built into the foundation of a new digital platform
Our client, the business banking division of a major bank, initiated a programme to build a new digital platform to support its small-and-medium-sized enterprise (SME) customers. The platform aimed to deliver a mobile application providing banking customers with a holistic view of their business across their financial accounts, including flexible access to banking products and other financial services.
Mason Advisory had defined the operating model for development of the digital platform and mobile application, using a truly Agile model, and was asked to continue supporting the developing solutions through SecDevOps practices. SecDevOps is a practice that aims to integrate security into every aspect of the application life cycle from design through to development, testing, production, and ongoing operations.
As the new fintech entity was intended to be separate from the main bank, there was an additional requirement to support the technology security elements of the application to the Financial Conduct Authority (FCA) for the relevant licences to operate as a payment and lending institution.
Mason Advisory was asked to provide cybersecurity support to define the security strategy for the new organisation and act as Head of IT Security. We also acted as a technical security architect to embed expertise within the SecDevOps team, ensuring developers created products with security in mind from the outset.
Driving a security-aware culture, we defined the concept of security champions within the team, holding a series of rapid risk assessments and developed security ‘abuse cases’ to ensure that code was created with common mitigations in mind.
Integrating with the development team ensured the security of the continuous integration and continuous delivery (CI/CD) pipeline and hosting infrastructure from the outset. This included the integration of static and dynamic security testing software and the application of suitable PaaS controls, and alignment of the application security to the Open Web Application Security Programme (OWASP) Application Security Verification Standard (ASVS).
Building security from a greenfield state we adopted the National Cyber Security Centre’s 10 steps framework to ensure that all aspects of people, process and technologies were given basic security hygiene measures. Additionally, as part of technology governance framework, we provided a set of overarching policies and procedures to support the organisation’s IT security during its development.
We were key in the delivery of security input into the FCA licence to operate, providing detailed responses to the FCA in order to articulate and assure the use of cloud services.
To ensure that the new fintech business could continue to grow without long-term consultancy support, we also supported the client in making the transition to a full-time in-house security architect and embedded security engineering capability within the SecDevOps team.
After their initial product launch, the organisation continues to grow at pace. The security strategy has provided a stable reference for development of the new digital platform and the wider fintech organisation.
Key outcomes included:
- delivering risk reduction initiatives, such as ensuring suitable encryption, access and integrity measures are integrated into the CI/CD pipeline
- promoting an Agile, secure, co-ordinated and future-proof plan for IT design within a rapidly growing organisation
- providing board-level assurance for strategic security initiatives while ensuring application usability is not restricted
- providing security input into the FCA licence submissions
- aligning enterprise information security to NCSC guidelines.