In-Depth

Project reduces false alerts

• By Lana Gates
• April 1, 2004

HONORABLE MENTION: Application Management and Deployment

When Dallas-based financial firm Paymentech, owned by Bank One and First Data Corp., needed to guarantee that online payment applications for bankcard merchants would run more securely, efficiently and profitably, it employed the help of Web app scanner ScanDo 2.0 from KaVaDo. With more than $123 billion in transactions annually, Paymentech had much at stake and needed complete security protection of its confidential information. And as a financial institution, the firm is required by the Gramm-Leach-Bliley Financial Modernization Act of 1999 to protect consumers' personal financial data.

Although skilled at testing security breaches manually, the three-person security development team found that to be an ineffective use of time. So they set out to find a software solution to help with testing and penetration of the Web apps.

After sifting through the competition, the team selected ScanDo based on its AutoPolicy integration technology with the Web app firewall, KaVaDo InterDo. AutoPolicy is said to increase the precision of app security based on the structure and attributes identified by assessment scanners and other trusted sources. ScanDo evaluates Paymentech's Web apps through comprehensive exploration and penetration of the Web app and its operating environments to find security loopholes. The Web app scanner registers the Web app's structure and contents, assesses the contents, uncovers susceptibility to security breaches, and reports the results in graphical or textual formats.

Because Paymentech entered the project with little knowledge of Web app scanning, the project's goals changed along the way. As the team gained experience, it learned more about various products and how they fit into the environment.

ScanDo provides frontline security for Paymentech's online payment apps. Without complete protection of this confidential data, Paymentech would lose revenue, reputation and customers. The company estimates that 20 seconds of downtime could result in $7,000 in lost business. Implementation of ScanDo has resulted in Paymentech's secure mission-critical Web apps, a decreased number of false positive security alerts reported by Paymentech, and time efficiency for Paymentech IT resources.

One of the most significant challenges the team faced was a scheduling issue. Because credit card processing is 24x7, the team had no downtime to load and test the product. The team went live with the product during a time of minimal usage and simultaneously tested the software and protected those online with automated tools.

The project implementation spanned approximately 40 man hours over two months. However, ScanDo has since become a daily tool for Paymentech, indicating that the project is a success.

"Everyone sleeps better at night knowing that our app area is as secure as it can be," said Bill Kline, senior security engineer for the project. "The KaVaDo suite radically changed the way we guard our Web apps. Now we have a proactive strategy for discovering and addressing vulnerabilities."

APPLICATION PROFILE
Project: Application Security Project

Purpose: To run merchant businesses more securely, efficiently and profitably.

Benefits: Secure Web applications, fewer false positive security alerts, more focus on true priorities.

TOOLS
KaVaDo ScanDo, KaVaDo InterDo DEVELOPMENT TEAM Bill Kline, Chris Cross, Shawn Shiffelt