Kevin Jarnot, chief technology officer of The Debt Exchange, knows this all too well. His Boston-based firm helps facilitate the buying and selling of loans between financial organizations by giving them a platform to share relevant contractual information.
"We help them create liquidity in these portfolios by making it easy for them to post their information to our online exchange," says Jarnot.
Banks send loan information and documents to The Debt Exchange's underwriters, who go through these volumes of papers, clean them up, and post PDFs and searchable information onto their secure site.
"All of this information is made available online to buyers," he says "They can then punch down and see details of these loans, and actually read the loan documents online. It makes it easy for them, so they don't have to go flying around all over the place."
While The Debt Exchange does not handle any transactions, banks place a great deal of trust in the company by allowing it to store voluminous amounts of sensitive customer information in its databases.
"We're dealing with some of the biggest banks in the world and they are incredibly security-conscious," he says. "So we want to make sure we have state of the art security. Every time there is a new kind of security assessment that can take place, we're there."
One area where Jarnot and his company recently focused their security efforts was scanning the web application that acted as a portal to these pools of information. He'd heard good things about the Hailstorm software product from Cenzic and was eager to take advantage of the swiftness with which the product scans for problems, and the wider range of tests it performs compared to competing solutions.
Mandeep Khera, vice president of marketing at Cenzic, explans that the product's breadth often piques customer interest. "Most of the solutions out there focus on three things: buffer overflow, SQL injections and cross-site scripting," he says. "But because of the way we have architected the project, we are able to do things like test for session hijacking. That, believe it or not, is such a common problem that we were really shocked that so many people have not taken care of that. And the only way you can test for those things is if you do it at a browser level by maintaining the state of the application."
Other non-traditional vulnerabilities that the product checks for include phishing vulnerabilities, weak passwords, whether a site has privacy policies on every page, and other application logic issues, Khera says.
All of this looked good to Jarnot, but he had some challenges — he didn't want to have to do the testing in-house, and he didn't want to spend a lot of money.
"I wanted somebody to actually do the scans for us," he says, "and there were very few companies out there that actually performed this type of service. You deal with third-party consultants who use whatever software's available."
Fortunately, he found that Cenzic had just launched its ClickToSecure service, a software as a service (SaaS) that would allow him to have the scans done remotely. The biggest bonus, he says, was that the option was significantly cheaper than any other comparable service.
"I'm always looking for the best deals any time we deal with a third party, and they were at least half to a third the cost of some of the other companies that perform this type of service," he says.
Getting the scans done took very little effort on his part. Because the company didn't want testing done on production machines, his team mirrored the site onto a new server. From there all it took was providing a link to Cenzic and opening a port in the firewall to give the company access.
The results were valuable enough to The Debt Exchange for it to begin making remediations immediately. While the company has used the service only once so far, Jarnot says that plans are in the works to perhaps schedule the service semi-annually or quarterly.
In the meantime, he is able to appease his customer base with another thorough set of security tests under his team's belt. "Most of the banks we're dealing with want to have a security assessment done," he says. "So as part of the security audit we talk about the types of security testing we've done. This is one of the tests that we can say we've completed."