The Spanish bank NCG Banco in Galicia is using Hewlett-Packard's Fortify service to test the soundness of its applications.
The two-year-old company, which does business as Novagalicia Banco, was created by the merger of the savings banks Caixanova and Caixagalicia.
Roberto Barrata, NCG's chief information security officer, said regulators' pressure on banks to strengthen their balance sheets was one impetus behind the merger. And frugality was behind the bank's decision to use Fortify.
Hewlett-Packard sends bank employees detailed reports of the vulnerabilities of their recently created apps after they upload their code to the cloud.
Right now Novagalicia Banco is using Fortify for its consumer-facing online and mobile banking apps. A larger rollout that will include apps used internally is to be completed by the end of next year.
Novagalicia Banco is wrestling with the same budget constraints that face American banks. It cannot afford to hire the talent it takes to give applications a thorough internal scanning for security vulnerabilities.
"Capital is key right now," says Mark La Penta, a practice manager and senior consultant at CCG Catalyst Consulting Group. "So if I can reduce my use of capital from either buying or building software I get to keep my capital in the company."
Most banks, La Penta says, prefer to focus on banking. That means building as little software as possible while satisfying the financial needs of customers who are increasingly using mobile phones, tablets and other technology to conduct banking transactions.
And it's not as if banks can skimp on security.
"The developers that are building these banking apps and transaction processing software are building them for features," says Mike Armistead, a Hewlett-Packard vice president and general manager in charge of enterprise security products. "They are trying to get new features out there and reach more customers," Armistead says, "and they don't necessarily think about security."
