It better. The organization, which provides clearing, settlement and information services for financial institutions and government, settled US$1.88 quadrillion (thousand trillion) in securities transactions last year.

DTCC claims to be the only financial services firm rated at Level 3 on the Software Engineering Institute's Capability Maturity Model Integration scale. It is also one of the co-developers of the just-announced industry standard Building Security In Maturity Model.

"We have a very disciplined, process-oriented approach," says Jim Routh, chief information security officer.

Here's what DTCC does:

* Submits its internally developed software to the rigors of static and dynamic code analysis;

* Submits its systems to penetration testing;

* Subscribes to a third-party service that scans its Web sites looking for vulnerabilities;

* Assigns risk levels - high, medium or low - to any vulnerabilities found;

* Remediates vulnerabilities and tracks remediation at three levels in the organization.

As for software vendors, DTCC "puts them through the paces," Routh says.

For software deemed to be high-risk, the vendors must show evidence of the same kinds of controls that DTCC uses internally. "They have to show us the artifacts of their software development lifecycle as it relates to security - static code analysis, dynamic analysis, penetration testing and how they track vulnerabilities and manage their remediation," he says, adding that DTCC is one of the few firms that does that.

Vendors that can't produce these artifacts get another chance, however. They must submit the software in question, in binary form, to an external party that scans it for high-risk vulnerabilities and assigns a grade to it. "We pay for some of that," Routh says. "We get the high-level results, the vendor gets the detailed results and we negotiate remediation priorities."