[ISN] Bank aims to link scanning and patching

InfoSec News isn at c4i.org
Tue May 4 07:20:57 EDT 2004


By Bill Goodwin 
Tuesday 4 May 2004 

Standard Chartered Bank is developing technology to speed up and
prioritise its patching processes, as pressure grows to protect
systems from new vulnerabilities before hackers can exploit them.

The bank is concerned that the time between new vulnerabilities being
discovered and hacking tools which exploit them appearing on the
internet has fallen from weeks to hours, leaving IT systems more
exposed than ever.

Standard Chartered is developing a security system that will combine
risk analysis of its networks and software with vulnerability
scanning, allowing it to prioritise patching to the most
business-critical systems.

The system, which it hopes to have in place by the end of the year,
will eventually model the behaviour of security threats, such as worms
and denial of service attacks. It will automatically identify which
systems are likely to be most vulnerable when a new threat appears.

Standard Chartered has spent the past 12 months developing a risk
database, dubbed "Riskwise", to build up a profile of the risks
associated with each new software development.

The database covers 50 of the bank's 450 applications and it will be
extended to cover the remaining legacy systems by the middle of next
year, said John Meakin, group head of information security at the

Standard Chartered plans to integrate the database with its Qualsys
vulnerability scanning system to create a system capable of
identifying vulnerabilities and prioritising repair work.

"We want to have a comprehensive picture of risk. When a zero-day
attack comes along, you need that kind of modelling," said Meakin.

More information about the ISN mailing list