code4thought

Gear Up for DORA: Prioritizing Application Security in the EU's Digital Operational Resilience Act

15/03/2024
16 MIN READ  /
Cybersecurity isn’t just a concern anymore – it’s a major economic threat. Financial institutions within the European Union (EU) are prime targets, experiencing relentless attempts to compromise their systems. It’s against this backdrop that the Digital Operational Resilience Act (DORA) has emerged – a regulation designed to transform how the financial sector guards against and overcomes the ever-evolving cybersecurity threat landscape. At the heart of DORA compliance lies a concept often given too little attention: Application Security.

The Importance of Application Security in the Context of DORA

DORA places a strong emphasis on the secure design, development, deployment, and maintenance of IT systems. Article 6 highlights the need for comprehensive “security policies, tools, and procedures” tailored to safeguard the critical assets that power financial services – those include the very applications at the heart of digital operations. Secure development is now becoming a must-have requirement.
The truth is that flaws tucked away within application code often give criminals the foothold they need to wreak havoc. When applications fail, everything falters. In today’s world, banking and financial services depend upon a complex, diverse, and interconnected landscape of applications. From customer-facing transactions to internal back-end processes, any insecurity in these systems becomes a door for exploitation with widespread impact:
Data Breaches and Sensitive Information Exposure: Poorly secured applications, handling financial data, are targets for data theft. DORA, alongside GDPR, places strict obligations on the safeguarding of data – application security breaches then become regulatory risks.
Fraud and Disruption: Attackers exploiting insecure applications can disrupt normal operations. This could be ransomware, locking core systems for extortion, the manipulation of business flows, or even the injection of fraudulent transactions.
Domino Effects and Systemic Concerns: The interconnected nature of the financial sector raises the stakes. Attacking a single institution’s applications could potentially affect linked or dependent systems. DORA aims to minimize these potential ripple effects, where strong application security acts as a first line of defense.
Achieving DORA’s goals hinges on secure code. Article 25 speaks directly to how Application Security testing aligns with the regulation’s core objectives to bolster detection, containment, and recovery abilities to ensure digital operational resilience when those inevitable ICT incidents occur. Strong application security is pivotal in ensuring this level of resiliency.

Key Principles for Strengthening Application Security

Our experience in helping financial institutions develop and maintain secure code can bolster down to the following mantra: “You can’t develop secure code without high-quality standards, and you can’t have high-quality code without embedded security.”
A sound application security posture encompasses more than fixing flaws once they surface. Robust, good software engineering practices promoting the security-by-design concept are vital for sustaining resilience in the face of ever-evolving threats.
Security-by-Design: Prevention Starts at the Source (Code): Proactive security doesn’t happen late in the process. This means:
  • Secure Coding Standards: Establishing coding guidelines like OWASP secure coding standards minimizes the introduction of common vulnerabilities like SQL injection and cross-site scripting (XSS).
  • Threat Modeling: Take Security into consideration from the first design draft. Identify potential attack vectors against your application early, influencing code and system architecture in security-positive ways.
  • DevSecOps: Make security part of development with automated tools integrated into the software development lifecycle (SDLC), catching issues from the initial coding to release.
Rigorous Testing: Find Those Flaws Before Attackers Do: Don’t just rely on a certain security testing tool to identify flaws. Various case studies have demonstrated beyond doubt that a layered testing approach yields the best results:
  • Static Application Security Testing (SAST): Analyze source code without running it to reveal potential problems like buffer overflows or hardcoded secrets.
  • Dynamic Application Security Testing (DAST): Simulate attacks on the running application to uncover runtime vulnerabilities, often targeting web-based applications.
  • Penetration Testing: Employ security experts to execute targeted, real-world attack scenarios. These comprehensive tests expose hidden vulnerabilities and business logic flaws.
Beyond Release: Monitor, Maintain, Respond: Application security doesn’t end at deployment. Software development teams need to practice secure coding in a continuous manner, establishing the foundation for software security and quality:
  • Continuous Monitoring: Analyze application logs for suspicious activity or performance anomalies that could hint at compromise or vulnerabilities being exploited.
  • Patch Management: Keep an eye on third-party libraries and core applications; patch promptly when security updates are released.
  • Incident Response: Don’t just react – have a defined, practiced plan for managing incidents involving stakeholders at relevant levels, ensuring swift action to contain and mitigate security breaches.

DORA Compliance: Building a Sustainable Application Security Action Plan

While DORA’s compliance deadline of January 17, 2025, might seem far off, developing robust application security is a dynamic process. Take these steps now, iterating as you refine your approach:
Immediate Actions
  • Assessment: Evaluate your current application landscape. What critical apps are a priority for DORA compliance? Use vulnerability scanning tools, such as the ones in the SAST category, to establish a baseline of existing security issues.
  • Remediation: Begin addressing existing flaws with a risk-based approach. Prioritize critical issues in applications handling high-value transactions or sensitive data.
  • Initial Testing: Engage in vulnerability scans and consider a targeted penetration test as a benchmark for current strength.
Ongoing Development and Integration
  • Secure Coding and DevSecOps: Train developers on secure coding standards. Adopt tools (SAST, SCA tools) to automatically catch common security pitfalls throughout the development process.
  • Culture Shift: Security must become second-nature across your organization. Invest in employee awareness training and foster open communication around security.
  • Robust Testing Cadence: Schedule regular DAST scans and targeted penetration tests. Combine findings from SAST and DAST tools to get a comprehensive awareness of app vulnerabilities and areas of improvement. Incorporate lessons learned into future development sprints.
Sustained Focus and Evolution
  • Partner for Expertise: Engage external advisors for assistance with specific technical testing, policy design, or addressing skills gaps on your team.
  • Monitoring and Response Readiness: Implement logging, anomaly detection tools, and proactive application monitoring to react to potential threats faster. Develop and regularly rehearse your incident response plan.
  • Continuous Improvement: Staying ahead of threats means keeping up with best practices and adjusting tools and procedures as needed. Budget for ongoing training and upskilling of your teams.
DORA compliance isn’t the finish line. View it as the catalyst for a long-term investment in a holistic security model where resilience is central to the success and health of your financial institution.

How code4thought can Help

Now is the time to engage with expert firms like code4thought and adopt proven best practices to solidify your institution’s cybersecurity posture. DORA compliance can be complex, but code4thought’s software security services make it simpler.
  • Our deep-dive security assessments, including detailed vulnerability analysis and mapping security characteristics to application security properties allows us to identify both current and foreseeable weaknesses and get prioritized recommendations for risk mitigation
  • Combined with leading expert consultancy and powered by the Sigrid platform, we provide proactive ‘shift-left’ strategies to bring security into the earliest stages of software development.
  • Along with actionable roadmaps to address vulnerabilities, we offer ongoing monitoring and advisory support to develop secure-by-design applications and ensure your financial institution stays ahead of evolving DORA requirements and safeguards critical data.
Complying with DORA while simultaneously confronting relentless cyber threats demands a firm grasp on application security. Secure coding is an essential component of good software engineering practices to increase the business value of a financial institution through compliant and high-quality digital assets. While some hurdles exist, the benefits speak for themselves: reduced risk, improved resilience, protected customer data… the cornerstone of thriving, trustworthy financial institution.