• No results found

Security Testing for Web Applications and Network Resources. (Banking).

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Security Testing for Web Applications and Network Resources. (Banking)."

Copied!
5
0
0

Loading.... (view fulltext now)

Download now ( 5 Page )

Full text

(1)

Sec

uri

ty

T

e

s

tin

g

for

W

eb

A

pplic

at

ion

s

and

N

et

w

or

k

R

e

s

o

urc

e

s

(Bank

in

g)

.

201

1

The Client, a UK based bank offering secure, online payment and banking services to its customers. The client wanted to assess the security posture of the web application, networks and all other IT assets.

41, Spencer's Plaza, 2nd floor ECD Global Info Tech Pvt Ltd old airport road, Bangalore-560017 Karnataka, India

E-Mail: [email protected] Phone : +91 80 40609604

(2)

Proprietary & Confidential Information 2 ECD Global Infotech Private Ltd

All Rights Reserved

NOT TO BE COPIED OR DISTRIBUTED IN ANY FASHION WITHOUT WRITTEN PERMISSION

Abstract

The Client, a UK based bank offering secure, online payment and banking services to its customers. The client wanted to assess the security posture of the web application, networks and all other IT assets.

Client Profile

The Client, a UK based bank offering services to meet the needs of customers managing and moving money online. The client had planned to launch an online banking provision to make it is easy to move money to and from merchants and other customers, within a secure online environment.

Background

The Client is a UK based independent bank authorized and regulated by Financial Services Authority. Client had planned to offer its customers a reliable online payment and banking service. To ensure the security of the online banking portal, it was imperative for the client to make sure that the application was not easily susceptible to misuse and fraud, thus leading to loss of reputation, loss of customer trust and financial loss. Client wanted an assurance that the web application was secure, has appropriate security controls built in, before the roll out. ECD consultants performed the web application penetration testing, to identify and minimize the risk of a security breach.

Business Need

The client was initially approached by the company to take care of their Web Applications, Computer Networks and Other IT Assets, protect them from security threats and provide a trusted environment for conducting secure transactions through web.

Since the client is Bank and deals with financial transactions, the first main concern around security & quality.

 Provide Data protection and customer privacy

 Prevent targeted fraudulent and illegal activities

(3)

Proprietary & Confidential Information 3 ECD Global Infotech Private Ltd

All Rights Reserved

NOT TO BE COPIED OR DISTRIBUTED IN ANY FASHION WITHOUT WRITTEN PERMISSION

For Security testing, the client’s main concern was to identify vulnerabilities clearly and accurately, with a minimum of false positives and protect their web applications.

Challenges

The Main challenges faced were:

 Change in the proposed testing tools because of limitations with the developed application and tool compatibility so that the business application would not be affected in real time.

 Close communication with client required as the product was being tested rapidly in accordance with the end user requirements

 Manual testing for various high potential vulnerabilities to make sure that the Application is secure.

 Team management in very effective way to lead the way through to client’s expectations up to the mark

To add more value to the result findings, a team of experienced project managers went through the report and reviewed it for strategic analysis. The report was then presented according to the specified client template.

Also areas of concern were to check the robustness, speed, fault tolerance, security, cost criteria and extensibility.

As agreed in Statement of Work with client, following things done during testing: Security Testing:

 Information Gathering and Error Enumeration

 Web-Server Tests

 Port/Service/Version Mapping tests

 Protocol Based Tests

 Web Application Tests

 OS Based Tests

 PHP/ASP Based Tests

 Apache/ IIS

 Advance Test Vectors

(4)

Proprietary & Confidential Information 4 ECD Global Infotech Private Ltd

All Rights Reserved

NOT TO BE COPIED OR DISTRIBUTED IN ANY FASHION WITHOUT WRITTEN PERMISSION

 Flash Test

 DoS Attact Tests

 Tests on Network Devices and other IT Assets

 Exploitation of Found Vulnerabilities

 Social Engineering (Optional)

Penetration Testing:

Penetration testing attempts to verify that protection mechanisms built into a system will, in fact, protect it from internal and external.

Security Testing Approach:

o Identifies the resources needed to conduct the Security test o Explains the security test execution process

o Presents the Security test schedule

A proper communication channel was established between the client and its Development team to ensure that no gaps are left during the final testing. Weekly summary calls were made to ensure that ECD team is in line with the development team and Client’s expectations.

The test automation Security testing was achieved using automated web application vulnerability assessment & Penetration Testing tools like Acunetix, Appscan, WebInspect, Burp Suite, Nessus, Core Impact, Metasploit Pro, Qualys Guard etc., After the completion of automated testing, manual testing has been carried out by our security consultants. Application access was given by client on ECD’s local test environment.

A certified team of Security Consultants were deployed to identify the application vulnerabilities that could be exploited by the hacker. To arrive at the security posture the security consultants adopted the following approach:

 Security consultants after thoroughly understanding the customer’s security requirements and concerns customized the penetration testing methodology to achieve the scope of work outlined for the project.

(5)

Proprietary & Confidential Information 5 ECD Global Infotech Private Ltd

All Rights Reserved

NOT TO BE COPIED OR DISTRIBUTED IN ANY FASHION WITHOUT WRITTEN PERMISSION

 Tests were executed using a combination of open source and commercial tools to ensure optimum results

 Web Application was scanned using tools like Acunetix, Appscan, WebInspect, Burp Suite, Nessus, Core Impact and Qualys Guard to identify potential vulnerabilities. The scan results were reviewed to identify false positives.

 Computer network was scanned using the tools like GFI LanGuard, Nessus and Qualys to identify potential vulnerabilities.

 Proof of Concepts was conducted to confirm the existence of the security issues

 Security consultants presented the final report to the client highlighting the areas of concern the vulnerabilities detected and suggested remediation

Security Testing Benefits:

 Increase Customer confidence

 Limited threats of legal liabilities

 Compliance with industry best security practices.

Conclusion:

ECD has successfully completed the penetration tests for the web application and subsequent releases as per client requirement in a short span of time. Our clients regularly seek our support for testing their Web Applications, Mobile Applications, Servers, Computer Assets and Networks. We keep our client assets safe and reliable.

References

Download now ( PDF - 5 Page - 2.87 MB )

Related documents

OP-AMP AND ITS APPLICATIONS

The adder circuit provides an output voltage proportional to or equal to the algebraic sum of two or more input voltages each multiplied by a constant gain factor.. It is

A report of Mongolia’s renewal capital

The main attention of this thesis is on the most commonly used national intellectual capital framework, containing human capital, market capital, process capital,

Aiits 2016 Advanced Questions Paper

(A) The solubility of n – alcohol in water decreases with an increase in molecular weight (B) The solubility of n – alcohol in water increases with an increase in molecule

Subverting BIND s SRTT algorithm Derandomizing NS selection

the response contains at least one record in its answer section, then the record is cached if it matches the entry in the query section, while NS records in the Authority section

Andrea Fabrizi. Curriculum Vitae. Date of Birth: 10/04/1983 City of Birth: Anagni, Italy

• Penetration testing of web applications, stand-alone applications, critical systems and infrastructures; • Vulnerability assessment;. Technologies and methodologies used by

Port 80 (and 443!) Is Wide Open Scanning for Application-Level Vulnerabilities

Discovering the Value of Web Application Security Testing with IBM Rational AppScan © 2008 IBM Corporation 9 Network Server Web Applications.. The Reality: Security and Spending

Middlesex University Research Repository

This data includes: the pattern of customer’s demand, the time needed for an order’s perception, the safety level included in order procurement, the safety buffer of raw

Network/Internet Forensic and Intrusion Log Analysis

To understand behavior of current attacks to corporate network To experience a hands-on exercise of intrusion analysis. To learn how to comply new Thailand ICT