Total Tests:
This Week:
Today:

NYSDFS 23 NYCRR 500 Compliance and Application Security

Developed by the New York State Department of Financial Services (NYSDFS), 23 NYCRR 500 is a set of regulations and
a NY state law that imposes interrelated cybersecurity requirements on financial institutions
and insurance companies based in, or licensed to operate, in NY State.

New York State Department of Financial Services Cybersecurity Requirements for Financial Services Companies

NYSDFS 23 NYCRR 500 imposes various data protection, privacy and security testing requirements on all companies that must adhere to it. Holistic visibility and inventory of digital assets, web and mobile application security are an indispensable part of NYSDFS 23 NYCRR 500 compliance process:

Section 500.05 Penetration Testing and Vulnerability Assessments

“The cybersecurity program for each Covered Entity shall include monitoring and testing, developed in accordance with the Covered Entity’s Risk Assessment, designed to assess the effectiveness of the Covered Entity’s cybersecurity program. The monitoring and testing shall include continuous monitoring or periodic Penetration Testing and vulnerability assessments. Absent effective continuous monitoring, or other systems to detect, on an ongoing basis, changes in Information Systems that may create or indicate vulnerabilities, Covered Entities shall conduct:

(a) annual Penetration Testing of the Covered Entity’s Information Systems determined each given year based on relevant identified risks in accordance with the Risk Assessment; and

(b) bi-annual vulnerability assessments, including any systematic scans or reviews of Information Systems reasonably designed to identify publicly known cybersecurity vulnerabilities in the Covered Entity’s Information Systems based on the Risk Assessment.”

Section 500.08 Application Security

“(a) Each Covered Entity’s cybersecurity program shall include written procedures, guidelines and standards designed to ensure the use of secure development practices for in-house developed applications utilized by the Covered Entity, and procedures for evaluating, assessing or testing the security of externally developed applications utilized by the Covered Entity within the context of the Covered Entity’s technology environment.”

ImmuniWeb® for NYSDFS 23 NYCRR 500 Compliance

Application security and compliance for NYSDFS 23 NYCRR 500 starts with holistic visibility of your digital assets, related risks and threats. You simply cannot protect what you don't know. Therefore, we recommend commencing your NYSDFS 23 NYCRR 500 compliance efforts with IT asset discovery, inventory, classification and risk scoring. Our ImmuniWeb® Discovery leverages OSINT technology to rapidly detect your external web, mobile and cloud assets equipped with attractiveness and hackability scores. Based on our award-winning AI technology, ImmuniWeb Discovery will likewise provide you with a snapshot of your exposure in the Deep and Dark Web. Once completed, you are ready to start well-informed and risk-based application security testing for the purpose of NYSDFS 23 NYCRR 500 compliance.

For one-time security testing of your web applications and APIs, we recommend using ImmuniWeb® On-Demand equipped with CVE, CWE reporting and CVSSv3 risk scoring. Its in-depth and rapid testing is based on OWASP Testing Guide (OTGv4), NIST SP 800-115 Technical Guide to Information Security Testing and Assessment, PCI DSS Information Supplement Penetration Testing Guidance, FedRAMP Penetration Test Guidance and ISACA’s How to Audit GDPR. The testing comprehensively covers full spectrum of security vulnerabilities from SANS Top 25 and OWASP Top 10.

For iOS and Android mobile apps and their backend (e.g. APIs or REST/SOAP web services) we provide all-inclusive testing with ImmuniWeb® MobileSuite equipped with CVE, CWE reporting and CVSSv3 risk scoring. Its in-depth and rapid testing is based on OWASP Mobile Security Testing Guide (MSTG) and OWASP Testing Guide (OTGv4), NIST SP 800-115 Technical Guide to Information Security Testing and Assessment, PCI DSS Information Supplement Penetration Testing Guidance, FedRAMP Penetration Test Guidance and ISACA’s How to Audit GDPR. The testing comprehensively covers full spectrum of security vulnerabilities from SANS Top 25 and OWASP Mobile Top 10.

For most critical applications that directly impact your NYSDFS 23 NYCRR 500 compliance we offer ImmuniWeb® Continuous for incremental 24/7 testing of any new or updated code. It is equipped with CVE, CWE reporting and CVSSv3 risk scoring, its in-depth and rapid testing is based on OWASP Testing Guide (OTGv4), NIST SP 800-115 Technical Guide to Information Security Testing and Assessment, PCI DSS Information Supplement Penetration Testing Guidance, FedRAMP Penetration Test Guidance and ISACA’s How to Audit GDPR. The testing comprehensively covers full spectrum of security vulnerabilities from SANS Top 25 and OWASP Top 10.

What’s Next:

Ask a Question