security testing for financial applications -...

Success

The performance testing helped the client

identify and resolve performance bottlenecks

which otherwise crippled the business.

The ability to support 500 concurrent users

was a performance improvement of almost 60

times when compared with the first capacity

test run. Needless to say, the client was

delighted by the end result!

A

Security Testing For Financial Applications

SECURITY TESTING WHITE PAPER

white

www.zenq.com | Security Testing White Paper

2 | P a g e

Contents:

1. Executive Summary ........................................................................................................................................ 3

2. Overview .......................................................................................................................................................... 4

3. Test Approach ................................................................................................................................................. 6

a. Phase1: Threat Modeling ....................................................................................................................... 8

b. Phase 2: Test Planning ............................................................................................................................ 9

c. Phase 3: Test Execution ........................................................................................................................ 10

d. Phase 4: Result Reporting .................................................................................................................... 11

4. Framework ..................................................................................................................................................... 12

5. Framework Components ............................................................................................................................. 14

6. Summary ........................................................................................................................................................ 16


3 | P a g e

Executive Summary

The Banking, Financial services and Insurance sector applications are complex applications that facilitate large volumes of high

value transactions every day. The sensitive and confidential nature of the data they host makes them target of hackers.

Integration with the third-party applications, constantly emerging customer base, proliferation of Internet, complex business

workflows, growing remote and mobile workforce makes these applications and the data that they host, vulnerable to threats

from a myriad number of sources.

Protection of data from these threats and malicious attacks is imperative to avoid loss of reputation and financial loss. With

number of security products growing up, there is still lack of attention in resolving security issues in online banking systems,

payment gateways, insurance covers etc. and need to be resolved. Security testing and proper analysis will minimize the risk of

security breach and ensure confidentiality, integrity and availability of customer transactions.

In this white paper, we describe the customized framework developed by our Security Testing specialists along the security

testing approach, based on industry wide best practices & standards, which we follow here at ZenQ to enhance the security

posture of applications.


4 | P a g e

Overview

In the recent years, the security threats surrounding the financial & banking applications have increased dramatically and they

continue to evolve. According to a report titled "Arming Financial and E-Commerce Services against Top 2013 Cyber threats”,

Gartner forecasts that financial and e-commerce applications will be a target of increasing sophisticated attackers & attacks

such as high bandwidth DDOS attacks, social engineering ploys in the coming year.

The figure 1.0 below depicts the breakdown of the different types of the attacks performed by hackers for data/money theft:

Figure 1.0: Reference: http://www.corero.com/resources/files/analyst-reports/CNS_Report_Ponemon_Jan13

6.085.55

5.12 4.96 4.81 4.694.25

2.58

Zero day

attacks

Denial of

Service

attacks

Phishing and

social

engineering

Web based

attacks

Virus or

malware

infections

SQL injection Malicious

insider

Stolen or

hijacked

computers

Security threats considered most severe

(8= the most severe to 1= the least severe)

Zero day attacks Denial of Service attacks

Phishing and social engineering Web based attacks

Virus or malware infections SQL injection

http://www.corero.com/resources/files/analyst-reports/CNS_Report_Ponemon_Jan13


5 | P a g e

According to another security report “Analyzing Project Blitzkrieg, a Credible Threat” from McAfee labs released in December

2012, this says that the hackers may mount a massive cyber-attack to siphon money from most of the banks.

In addition to these Distributed Denial-of-Service attacks on big financial corporations, hacktivists are now concentrating

more on small and medium scale banks stealing as much as $1 billion a year from a few thousand dollars to a few million per

theft in US and Europe.

The nature of transactions and the monetary gain involved makes these applications a prime target of hackers. Both

small and big financial organizations are target of these attacks.

More frequent security analysis is required to prevent these attacks. A thorough Penetration testing is needed to expose

the effectiveness of application’s security controls, discover gaps in compliance, and employ measures to safeguard the

applications from malicious attacks.

http://www.mcafee.com/us/resources/white-papers/wp-analyzing-project-blitzkrieg.pdf


6 | P a g e

Test Approach

In order to combat the security threats encompassing the BFSI applications, the security testing has to be conducted so that

appropriate measures can be taken to eliminate vulnerabilities before they are exploited.

The Security testing specialists here at ZENQ ,have come up with a structured approach for security testing the BFSI applications

.Our approach is based on industry wide standards ,best practices and methodologies such as OWASP,NIST.

Indicated in the Figure1.1 below of the security testing methodology that we follow to minimize the risk of security breach and

improve the security stature of the applications under test (AUT) and the phases are briefly described in the subsequent

sections.


7 | P a g e

Fig 1.1: Process Flow

RootcauseAnalysis

And

Results

TestExecution

Test Plan

Threat modelling

Start

Define Scope

Create threat profile

Create threat strategy

Create test

cases

• Mapping threats to pages/functionalities

• Mapping pages/Functionalities to attacks

Execution of test cases and

identification of vulnerabilities

Technical review report

Executive review report

If the application

is at low risk?

End Project

True

Fix vulnerabilities

and retest

False

Root cause analysis and submit recommendations


8 | P a g e

Threat Modeling

This is one of the first steps when performing Penetration testing. This phase includes threat modeling of web/mobile

applications i.e. to identify threats, attacks, vulnerabilities and countermeasures that could affect the application.

The process is twofold:

Define Scope:

We begin by gathering information below about the critical assets, target applications from client expectations

document and then conduct further evaluation to define scope (Important assets/functionalities and their relative

values, Areas of concern to the assets known vulnerabilities, if any) for the testing effort.

Threat Profiles:

The next step is to list out all the possible threats to the application. In addition, also determine possible goals of the

adversary in attacking the application, which in turn would assist in identifying the vulnerabilities that exist as a result of

these goals. The identified threats are classified using the STRIDE model and thread profile is created.

At the end of this phase, threat profile that includes the following attributes is created:

Asset – Critical functionality/feature of the application under test

Actor - Who or what may violate security requirements such as confidentiality, integrity and availability of an asset

Motive (optional) – Indication of whether the actor’s intentions are deliberate or accidental

Access control – How the asset (functionality/feature) will be accessed by the actor

Outcome – Immediate result of violating the security requirements of an asset i.e. disclosure, modification, destruction, loss,

interruption etc.


9 | P a g e

Test Planning

Once the Threat model is reviewed and established, we move forward with the test planning. A detailed test plan will be

created will cover overall strategy in execution, deliverables, test cases and effort to conduct penetration testing.

Test Strategy:

Test Strategy included as a part of the Test Plan, describes the scope, approach, resources and schedule for the testing

activities of the project. It also includes defining what will be tested, who will perform testing, how testing will be managed,

and the associated risks and contingencies.

Test Design:

The Probability of occurrence of the event & Risk associated with each occurrence are taken into account when designing

the Tests.

Test cases:

Once the threat profile is ready, the attack techniques to try out are determined, For each threat in the threat profile, we list

down all the possible ways of realizing it. For example, we can try to view another user’s account information by either an

SQL injection attack or by manipulating the request variables or by accessing the information from the browser cache.

The complete lists of exact test cases that will be tried out for each threat are included as a part of the Test plan. Each test

case will specify the page and the variable where the test will be tried out. This detailed test plan serves an important

purpose: it ensures a thorough test is carried out and that no attack vector for any threat is left unexplored.


10 | P a g e

Each Test case will be comprised of the following:

Threat scenario

Pages/functionalities for which threat will have affect

Associated attacks to be performed for each threat scenario

Test Execution

With the complete test plan reviewed and agreed upon with the client, the penetration software testing activity will be carried

out by executing each test case from the test plan. As each test case is executed, there may be a need for more tests to

confirm the results.

Test Execution includes:

Identification of vulnerabilities based on the attack performed,

Exploitations,

Exfiltration of data, if any


11 | P a g e

Result Reporting

Upon completion of the test execution, root cause analysis will be done and recommendations on how vulnerabilities can be

addressed will be determined. Detailed reports will then be prepared, based on which the application can be secured.

Following are the reports are provided to the client upon completion of the Testing:

Technical Review Report :

Along with the vulnerabilities observed, the report also has the details of the impact it would have on the business, ease

of exploiting it and risk rating. It also describes how the exploit was carried out with steps and screenshots wherever

required and recommendations on how the vulnerability can be fixed.

Executive Review Report :

A high level report which describes about the process followed in security testing and would also have risk rating of the

application from the business perspective. The Risk Rating Matrix that we utilize for ranking the risks is described in the

Appendix.


12 | P a g e

Framework

The framework consists of set of components that combine to achieve the structured approach for conducting security tests

efficiently and effectively. The logical architecture and set of underlying components of the framework that combine to

achieve the structured utilized by ZENQ’s Security test team is depicted in the Figure 1.2 below and the components are briefly

explained in the next section.


13 | P a g e

Fig1.2: Framework Architecture:


14 | P a g e

Framework Components

Footprinting/Information Gathering:

Footprinting is pre-attack phase that involves the accumulation of data regarding application/product to be tested and its

architecture. Footprinting can reveal system vulnerabilities and identify the ease with which they can be exploited.

Footprinting will be performed using a combination of techniques which include: DNS interrogation, Application spidering,

Open Source searching, inputs from the client.

Enumeration/Configuration Management:

Enumeration occurs after scanning and is the process of gathering and compiling usernames, machine names, network

resources, shares, and services etc. It involves actively querying or connecting to a target system to acquire this information.

Activities include:

Target Identification

Scans and lists various ports open in the target

Fingerprinting - To identify particularly vulnerable or high value targets on the application

Vulnerability Scan:

Vulnerability Scan involves identification of weaknesses in the application/product using manual crawl process and

navigation through the application using tools.


15 | P a g e

Activities include:

Discovery of vulnerabilities:

This is the process of identifying the vulnerabilities using security testing tools, manual techniques, proxies etc.

Vulnerability Validation:

This is the process of validating that identified vulnerability is false positive or not.

Penetration Tests:

Once the vulnerabilities are identified using vulnerability scanning, vulnerabilities will exploited by penetrating into the

application/product.

Any of below Penetration tests will be performed upon approval from the client:

Exploit vulnerabilities Destructively:

This exploitation focuses on completely penetrating deep into the application/product and performs tests which

could lead to complete destruction of the application/product. These exploitations will be performed only after the

approval from the client.

Exploit vulnerabilities Non-Destructively:

This exploitation focuses on penetrating into application and uses less prioritized exploits to identify vulnerabilities in

the application.

Results Reporting:

Upon completion of penetration tests, raw results will be extracted from the tools and results from the manual penetration

tests will be collected and detailed Technical review report will be prepared.


16 | P a g e

Summary

This paper elucidates the current challenges faced by applications built for financial institutions and need for security testing in

these area. We’ve reviewed the current categories, criteria and approaches for security testing to conduct security testing of

applications pertaining to financial institutions.

We believe that with our approach & expertise, our clients will be able to thwart and remediate vulnerabilities that pose a serious

risk to their applications & meet their compliance goals. This in turn strengthens their customer confidence & increase revenues.


17 | P a g e

About ZenQ

ZenQ is a global provider of high quality Software Development & Testing Services, offering cost effective value-

add outsourcing solutions to our clients. Our highly competent IT Professionals, Domain experts, combined with

industry best practices & our investments in state-of-the-art technologies makes us a dependable and long-

term IT service partner to all our clients is an

For more information, email us at : [email protected] OR Visit us at www.zenq.com

mailto:[email protected]

security testing for financial applications -...

Documents