Managing Credit Union AppSec Compliance

Provident is a financial institution serving the needs of 125,000+ members primarily located in the San Francisco Bay Area region. Provident is primarily focused on serving retail consumer banking needs through their 21 location community branch network, ATMs located throughout the country and internationally, along with their online web and mobile banking systems.

Provident utilizes several third party vendors to deliver their mobile and web banking applications. Prior to the implementation of Data Theorem’s mobile solution, Provident relied on the same third-party vendor for security application, maintenance, and ongoing improvement to protect the data and personal financial information of their entire member base, even leveraging these vendors for internal and external auditor questions.

The Challenge

Provident Credit Union is located in Silicon Valley, where some of the most technically-advanced consumer base on the planet is located. This user base expects the very best when it comes to technology and ease of use and go further to demand, deserve, and expect the best security. Provident needed a method to validate the security of their third party vendor applications that were being used to deploy their mobile and web banking applications. Their third party vendors would provide audit material on an annual basis and were generally available for internal and external audits, but Provident needed to do more and provide a higher level of protection for their member’s personal financial information. Provident wanted to add an additional layer of security with continuous scanning of their mobile and web banking applications, along with integrated security reviews as part of their application deployment process.

Past Alternatives

Before Data Theorem, Provident relied on audit material from their third party vendors who were not always equipped with the latest security methodologies and practices. Even using other penetration testing reports to ensure the stability and protection of their mobile and web banking applications was not enough. Provident did not always utilize a security specialist to validate the effectiveness of their security systems and was totally reliant on the third party vendor to maintain the security of their members data.

The Solution

Data Theorem provides the tools needed to tackle any kind of AppSec compliance challenge, as well as the reporting to provide to internal and external auditors that track the number of issues, why some alerts were prioritized over less critical alerts, how the issues were resolved, and how long it took them to get resolved. The partnership also provides peace of mind that they have security experts that are helping them to mitigate risk, decrease stress on staff, and streamline operations.

The Results

Compliance

While compliance and regulations change over time, remaining compliant and proactive are no longer an issue that the IT team has to spend much time on. Providing Slack integration and alerts, along with secure code fixes, paves an easy road for the data science and development team to handle quickly.

Pen Testing

Pen testing is a critical component in any comprehensive security plan. Having continuous pentesting and hacking tools to thoroughly check defense perimeters is an advantage that paves the way for our business to keep running and growing.

Security Expertise

Data Theorem now alerts Provident when there are issues in question that the third party vendor may not consider critical, along with citing specific hacks that they may be susceptible to so that attacks can be avoided.