security testing for financial applications -...
TRANSCRIPT
Success
The performance testing helped the client
identify and resolve performance bottlenecks
which otherwise crippled the business.
The ability to support 500 concurrent users
was a performance improvement of almost 60
times when compared with the first capacity
test run. Needless to say, the client was
delighted by the end result!
A
Security Testing For Financial Applications
SECURITY TESTING WHITE PAPER
white
www.zenq.com | Security Testing White Paper
2 | P a g e
Contents:
1. Executive Summary ........................................................................................................................................ 3
2. Overview .......................................................................................................................................................... 4
3. Test Approach ................................................................................................................................................. 6
a. Phase1: Threat Modeling ....................................................................................................................... 8
b. Phase 2: Test Planning ............................................................................................................................ 9
c. Phase 3: Test Execution ........................................................................................................................ 10
d. Phase 4: Result Reporting .................................................................................................................... 11
4. Framework ..................................................................................................................................................... 12
5. Framework Components ............................................................................................................................. 14
6. Summary ........................................................................................................................................................ 16
www.zenq.com | Security Testing White Paper
3 | P a g e
Executive Summary
The Banking, Financial services and Insurance sector applications are complex applications that facilitate large volumes of high
value transactions every day. The sensitive and confidential nature of the data they host makes them target of hackers.
Integration with the third-party applications, constantly emerging customer base, proliferation of Internet, complex business
workflows, growing remote and mobile workforce makes these applications and the data that they host, vulnerable to threats
from a myriad number of sources.
Protection of data from these threats and malicious attacks is imperative to avoid loss of reputation and financial loss. With
number of security products growing up, there is still lack of attention in resolving security issues in online banking systems,
payment gateways, insurance covers etc. and need to be resolved. Security testing and proper analysis will minimize the risk of
security breach and ensure confidentiality, integrity and availability of customer transactions.
In this white paper, we describe the customized framework developed by our Security Testing specialists along the security
testing approach, based on industry wide best practices & standards, which we follow here at ZenQ to enhance the security
posture of applications.
www.zenq.com | Security Testing White Paper
4 | P a g e
Overview
In the recent years, the security threats surrounding the financial & banking applications have increased dramatically and they
continue to evolve. According to a report titled "Arming Financial and E-Commerce Services against Top 2013 Cyber threats”,
Gartner forecasts that financial and e-commerce applications will be a target of increasing sophisticated attackers & attacks
such as high bandwidth DDOS attacks, social engineering ploys in the coming year.
The figure 1.0 below depicts the breakdown of the different types of the attacks performed by hackers for data/money theft:
Figure 1.0: Reference: http://www.corero.com/resources/files/analyst-reports/CNS_Report_Ponemon_Jan13
6.085.55
5.12 4.96 4.81 4.694.25
2.58
Zero day
attacks
Denial of
Service
attacks
Phishing and
social
engineering
Web based
attacks
Virus or
malware
infections
SQL injection Malicious
insider
Stolen or
hijacked
computers
Security threats considered most severe
(8= the most severe to 1= the least severe)
Zero day attacks Denial of Service attacks
Phishing and social engineering Web based attacks
Virus or malware infections SQL injection
www.zenq.com | Security Testing White Paper
5 | P a g e
According to another security report “Analyzing Project Blitzkrieg, a Credible Threat” from McAfee labs released in December
2012, this says that the hackers may mount a massive cyber-attack to siphon money from most of the banks.
In addition to these Distributed Denial-of-Service attacks on big financial corporations, hacktivists are now concentrating
more on small and medium scale banks stealing as much as $1 billion a year from a few thousand dollars to a few million per
theft in US and Europe.
The nature of transactions and the monetary gain involved makes these applications a prime target of hackers. Both
small and big financial organizations are target of these attacks.
More frequent security analysis is required to prevent these attacks. A thorough Penetration testing is needed to expose
the effectiveness of application’s security controls, discover gaps in compliance, and employ measures to safeguard the
applications from malicious attacks.
www.zenq.com | Security Testing White Paper
6 | P a g e
Test Approach
In order to combat the security threats encompassing the BFSI applications, the security testing has to be conducted so that
appropriate measures can be taken to eliminate vulnerabilities before they are exploited.
The Security testing specialists here at ZENQ ,have come up with a structured approach for security testing the BFSI applications
.Our approach is based on industry wide standards ,best practices and methodologies such as OWASP,NIST.
Indicated in the Figure1.1 below of the security testing methodology that we follow to minimize the risk of security breach and
improve the security stature of the applications under test (AUT) and the phases are briefly described in the subsequent
sections.
www.zenq.com | Security Testing White Paper
7 | P a g e
Fig 1.1: Process Flow
RootcauseAnalysis
And
Results
TestExecution
Test Plan
Threat modelling
Start
Define Scope
Create threat profile
Create threat strategy
Create test
cases
• Mapping threats to pages/functionalities
• Mapping pages/Functionalities to attacks
Execution of test cases and
identification of vulnerabilities
Technical review report
Executive review report
If the application
is at low risk?
End Project
True
Fix vulnerabilities
and retest
False
Root cause analysis and submit recommendations
www.zenq.com | Security Testing White Paper
8 | P a g e
Threat Modeling
This is one of the first steps when performing Penetration testing. This phase includes threat modeling of web/mobile
applications i.e. to identify threats, attacks, vulnerabilities and countermeasures that could affect the application.
The process is twofold:
Define Scope:
We begin by gathering information below about the critical assets, target applications from client expectations
document and then conduct further evaluation to define scope (Important assets/functionalities and their relative
values, Areas of concern to the assets known vulnerabilities, if any) for the testing effort.
Threat Profiles:
The next step is to list out all the possible threats to the application. In addition, also determine possible goals of the
adversary in attacking the application, which in turn would assist in identifying the vulnerabilities that exist as a result of
these goals. The identified threats are classified using the STRIDE model and thread profile is created.
At the end of this phase, threat profile that includes the following attributes is created:
Asset – Critical functionality/feature of the application under test
Actor - Who or what may violate security requirements such as confidentiality, integrity and availability of an asset
Motive (optional) – Indication of whether the actor’s intentions are deliberate or accidental
Access control – How the asset (functionality/feature) will be accessed by the actor
Outcome – Immediate result of violating the security requirements of an asset i.e. disclosure, modification, destruction, loss,
interruption etc.
www.zenq.com | Security Testing White Paper
9 | P a g e
Test Planning
Once the Threat model is reviewed and established, we move forward with the test planning. A detailed test plan will be
created will cover overall strategy in execution, deliverables, test cases and effort to conduct penetration testing.
Test Strategy:
Test Strategy included as a part of the Test Plan, describes the scope, approach, resources and schedule for the testing
activities of the project. It also includes defining what will be tested, who will perform testing, how testing will be managed,
and the associated risks and contingencies.
Test Design:
The Probability of occurrence of the event & Risk associated with each occurrence are taken into account when designing
the Tests.
Test cases:
Once the threat profile is ready, the attack techniques to try out are determined, For each threat in the threat profile, we list
down all the possible ways of realizing it. For example, we can try to view another user’s account information by either an
SQL injection attack or by manipulating the request variables or by accessing the information from the browser cache.
The complete lists of exact test cases that will be tried out for each threat are included as a part of the Test plan. Each test
case will specify the page and the variable where the test will be tried out. This detailed test plan serves an important
purpose: it ensures a thorough test is carried out and that no attack vector for any threat is left unexplored.
www.zenq.com | Security Testing White Paper
10 | P a g e
Each Test case will be comprised of the following:
Threat scenario
Pages/functionalities for which threat will have affect
Associated attacks to be performed for each threat scenario
Test Execution
With the complete test plan reviewed and agreed upon with the client, the penetration software testing activity will be carried
out by executing each test case from the test plan. As each test case is executed, there may be a need for more tests to
confirm the results.
Test Execution includes:
Identification of vulnerabilities based on the attack performed,
Exploitations,
Exfiltration of data, if any
www.zenq.com | Security Testing White Paper
11 | P a g e
Result Reporting
Upon completion of the test execution, root cause analysis will be done and recommendations on how vulnerabilities can be
addressed will be determined. Detailed reports will then be prepared, based on which the application can be secured.
Following are the reports are provided to the client upon completion of the Testing:
Technical Review Report :
Along with the vulnerabilities observed, the report also has the details of the impact it would have on the business, ease
of exploiting it and risk rating. It also describes how the exploit was carried out with steps and screenshots wherever
required and recommendations on how the vulnerability can be fixed.
Executive Review Report :
A high level report which describes about the process followed in security testing and would also have risk rating of the
application from the business perspective. The Risk Rating Matrix that we utilize for ranking the risks is described in the
Appendix.
www.zenq.com | Security Testing White Paper
12 | P a g e
Framework
The framework consists of set of components that combine to achieve the structured approach for conducting security tests
efficiently and effectively. The logical architecture and set of underlying components of the framework that combine to
achieve the structured utilized by ZENQ’s Security test team is depicted in the Figure 1.2 below and the components are briefly
explained in the next section.
www.zenq.com | Security Testing White Paper
14 | P a g e
Framework Components
Footprinting/Information Gathering:
Footprinting is pre-attack phase that involves the accumulation of data regarding application/product to be tested and its
architecture. Footprinting can reveal system vulnerabilities and identify the ease with which they can be exploited.
Footprinting will be performed using a combination of techniques which include: DNS interrogation, Application spidering,
Open Source searching, inputs from the client.
Enumeration/Configuration Management:
Enumeration occurs after scanning and is the process of gathering and compiling usernames, machine names, network
resources, shares, and services etc. It involves actively querying or connecting to a target system to acquire this information.
Activities include:
Target Identification
Scans and lists various ports open in the target
Fingerprinting - To identify particularly vulnerable or high value targets on the application
Vulnerability Scan:
Vulnerability Scan involves identification of weaknesses in the application/product using manual crawl process and
navigation through the application using tools.
www.zenq.com | Security Testing White Paper
15 | P a g e
Activities include:
Discovery of vulnerabilities:
This is the process of identifying the vulnerabilities using security testing tools, manual techniques, proxies etc.
Vulnerability Validation:
This is the process of validating that identified vulnerability is false positive or not.
Penetration Tests:
Once the vulnerabilities are identified using vulnerability scanning, vulnerabilities will exploited by penetrating into the
application/product.
Any of below Penetration tests will be performed upon approval from the client:
Exploit vulnerabilities Destructively:
This exploitation focuses on completely penetrating deep into the application/product and performs tests which
could lead to complete destruction of the application/product. These exploitations will be performed only after the
approval from the client.
Exploit vulnerabilities Non-Destructively:
This exploitation focuses on penetrating into application and uses less prioritized exploits to identify vulnerabilities in
the application.
Results Reporting:
Upon completion of penetration tests, raw results will be extracted from the tools and results from the manual penetration
tests will be collected and detailed Technical review report will be prepared.
www.zenq.com | Security Testing White Paper
16 | P a g e
Summary
This paper elucidates the current challenges faced by applications built for financial institutions and need for security testing in
these area. We’ve reviewed the current categories, criteria and approaches for security testing to conduct security testing of
applications pertaining to financial institutions.
We believe that with our approach & expertise, our clients will be able to thwart and remediate vulnerabilities that pose a serious
risk to their applications & meet their compliance goals. This in turn strengthens their customer confidence & increase revenues.
www.zenq.com | Security Testing White Paper
17 | P a g e
About ZenQ
ZenQ is a global provider of high quality Software Development & Testing Services, offering cost effective value-
add outsourcing solutions to our clients. Our highly competent IT Professionals, Domain experts, combined with
industry best practices & our investments in state-of-the-art technologies makes us a dependable and long-
term IT service partner to all our clients is an
For more information, email us at : [email protected] OR Visit us at www.zenq.com