Singapore MAS TRM Compliance and Application Security

Developed by the Monetary Authority of Singapore, TRM Guidelines provide the Financial Institutions of Singapore
with a solid baseline for robust technology risk management, system security, reliability and
resilience aimed to protect customer data, transactions and systems.

Monetary Authority of Singapore, technology risk management guidelines


The FI should conduct penetration testing prior to the commissioning of a new system which offers internet accessibility and open network interfaces. The FI should also perform vulnerability scanning of external and internal network components that support the new system.


Vulnerability assessment (VA) is the process of identifying, assessing and discovering security vulnerabilities in a system. The FI should conduct VAs regularly to detect security vulnerabilities in the IT environment.


The FI should deploy a combination of automated tools and manual techniques to perform a comprehensive VA. For web-based external facing systems, the scope of VA should include common web vulnerabilities such as SQL injection and cross-site scripting.


The FI should establish a process to remedy issues identified in Vas and perform subsequent validation of the remediation to validate that gaps are fully addressed.


The FI should carry out penetration tests in order to conduct an in-depth evaluation of the security posture of the system through simulations of actual attacks on the system. The FI should conduct penetration tests on internet-facing systems at least annually.

ImmuniWeb® Products for Singapore MAS TRM Compliance

Application security and compliance starts with visibility. You cannot protect what you don't know. Therefore, we recommend starting Singapore MAS TRM with an asset discovery and inventory.

ImmuniWeb® Discovery rapidly detects your external web, mobile and cloud assets equipped with asset’s attractiveness and hackability scores. Based on Big Data and our proprietary AI technology, the entire process is rapid and non-intrusive. Once you have a comprehensive and up2date inventory of your assets, you are ready to start a well-informed and risk-based application security testing.

For one-time security testing of you web applications and APIs, we recommend using ImmuniWeb® On-Demand. For iOS and Android mobile apps and their backend (e.g. API or REST/SOAP web services) we provide all-inclusive testing with ImmuniWeb® MobileSuite.

For most critical applications that directly impact your Singapore MAS TRM we offer ImmuniWeb® Continuous for incremental 24/7 testing of any new or updated code.

All ImmuniWeb® products leverage our award-winning Multilayer Application Security Testing and AI technology for intelligent automation and acceleration of Application Security Testing. Driven by human penetration testing, it rapidly detects even the most sophisticated vulnerabilities and comes with a zero false-positives SLA.

ImmuniWeb® Products for Singapore MAS TRM Compliance

ImmuniWeb® Discovery
ImmuniWeb® Discovery Application Security Score Card
Web Mobile API Cloud
ImmuniWeb® MobileSuite
ImmuniWeb® MobileSuite One-Time Mobile Audit
Mobile API Cloud
From $1,499
ImmuniWeb® On-Demand
ImmuniWeb® On-Demand One-Time Web Application Audit
Web API Cloud
From $499
ImmuniWeb Continuous
ImmuniWeb® Continuous 24/7 Web Security Testing
Web API Cloud
From $1,199 / month
Quick Start
Free Trial