When headlines report the latest cyberattack on a supermarket or department store, concerns naturally shift to what – or who – might be next. Anyone who has forgotten their online banking password can attest to the rigour of banking security, but recent incidents have brought the issue uncomfortably close to home. Just last month, the […]
When headlines report the latest cyberattack on a supermarket or department store, concerns naturally shift to what – or who – might be next.
Anyone who has forgotten their online banking password can attest to the rigour of banking security, but recent incidents have brought the issue uncomfortably close to home.
Just last month, the US Department of the Treasury’s Office of the Comptroller of the Currency (OCC) suffered a “major incident” in which employee emails containing “highly sensitive information” were compromised. Meanwhile, cybercriminals managed to steal more than 100 staff logins from employees at four of Australia’s largest banks.
Keeping ahead of security threats through early detection, automation, and business alignment is essential, says Beatrice Sirchis, vice president and head of application security and vulnerability management at New York-based IDB Bank.
Sirchis oversees application security for all of the bank’s systems, both on-premise and in the cloud.
“Any new application that’s going live goes through a security review and assessment by my team,” she says.
“We do code scanning, web application scanning, API reviews, and overall application assessments to ensure everything is secure.”
Her team’s efforts are supported by a vulnerability management programme that she built from the ground up.
Before the programme’s implementation, IDB faced a host of common but critical challenges: misconfigured systems, poor password practices, and inconsistent user and account management.
“We had to scan for vulnerabilities in the code, review how applications were managed, and ensure we covered all environments – production, quality assessment, pre-production, etc.,” she says.
Operating in a hybrid IT environment within a highly regulated industry, the team also struggled to track and verify that all assets were running the correct security and IT agents, and had difficulty reporting key performance indicators (KPIs) to cross-functional leadership.
Today, the bank benefits from a structured framework bolstered by automated scanning tools and close collaboration between security and development teams.
A key enabler in that transformation has been Qualys Cybersecurity Asset Management (CSAM), which Sirchis discovered had already been installed but remained unused.
She recalls consulting Gartner’s recommendations, finding “Qualys was rated for vulnerability management,” she says. After properly configuring the tool, it became central to the bank’s application security and broader risk mitigation efforts.
The results, she added, are evident: “We now have 100% visibility into application vulnerabilities. We’ve reduced vulnerabilities across production and non-production environments by about 80%, because we’re catching issues early in the development lifecycle,” she says.
What it did to secure
Scaling vulnerability management across a growing, increasingly cloud-native infrastructure remains a major challenge for financial institutions.
At IDB, CSAM now provides asset visibility across on-premises, cloud, and internet-facing systems. This enables proactive tech debt management and continuous risk assessment.
“We run scans, share findings, and then re-scan to ensure all high and critical issues are fixed before applications go live,” says Sirchis.
“Once in production, apps are scanned regularly using different profiles based on their risk level and exposure.”
The programme includes scanning profiles for known high-risk vulnerabilities such as Log4Shell and Spring4Shell, and also checks for personally identifiable information (PII) in customer-facing applications.
One benefit, Sirchis notes, is how tailored the output from Qualys is for its audience: “The reports don’t just list the findings. They explain what they mean and how to fix them, which is important since developers aren’t usually security experts,” she adds.
Automation of remediation workflows has also made a big difference. IDB has integrated Qualys with its ServiceNow platform, enabling automatic assignment of vulnerabilities to the appropriate application or infrastructure owner.
According to the bank, this shift has reduced the mean time to remediation from an average of 30 days to as little as one to two.
“We’ve also saved more than 80% of the time previously spent by developers and security teams,” says Sirchis.
“Reports are now customised and automated, whether they’re for fixing issues or for reporting to senior management on the security posture.”
The platform is evolving as well. Qualys recently added software composition analysis (SCA) to detect vulnerabilities in third-party libraries, such as those in Java, .NET, or Node.js.
“We’re now testing that feature and have already found valuable insights that helped us fix issues we didn’t even know existed,” she says.
As cyber threats continue to evolve, so do Sirchis’s priorities: “First, I want to make software composition analysis part of our regular process,” she says.
“Second, we’re planning to integrate web application vulnerability scanning with ServiceNow. This will allow us to automatically assign vulnerabilities to the relevant application owners, just like we’ve done with infrastructure vulnerabilities.”
Her third priority is extending security to APIs, which she describes as “among the top attack vectors, especially as they handle sensitive customer data.”
