Security Testing for Web Applications and Network Resources. (Banking).

Transcription

1 2011 Security Testing for Web Applications and Network Resources (Banking). The Client, a UK based bank offering secure, online payment and banking services to its customers. The client wanted to assess the security posture of the web application, networks and all other IT assets. ECD Global Info Tech Pvt Ltd 41, Spencer's Plaza, 2nd floor old airport road, Bangalore Karnataka, India Phone : [email protected]

2 Abstract The Client, a UK based bank offering secure, online payment and banking services to its customers. The client wanted to assess the security posture of the web application, networks and all other IT assets. Client Profile The Client, a UK based bank offering services to meet the needs of customers managing and moving money online. The client had planned to launch an online banking provision to make it is easy to move money to and from merchants and other customers, within a secure online environment. Background The Client is a UK based independent bank authorized and regulated by Financial Services Authority. Client had planned to offer its customers a reliable online payment and banking service. To ensure the security of the online banking portal, it was imperative for the client to make sure that the application was not easily susceptible to misuse and fraud, thus leading to loss of reputation, loss of customer trust and financial loss. Client wanted an assurance that the web application was secure, has appropriate security controls built in, before the roll out. ECD consultants performed the web application penetration testing, to identify and minimize the risk of a security breach. Business Need The client was initially approached by the company to take care of their Web Applications, Computer Networks and Other IT Assets, protect them from security threats and provide a trusted environment for conducting secure transactions through web. Since the client is Bank and deals with financial transactions, the first main concern around security & quality. Provide Data protection and customer privacy Prevent targeted fraudulent and illegal activities Protect Brand image. Proprietary & Confidential Information 2

3 For Security testing, the client s main concern was to identify vulnerabilities clearly and accurately, with a minimum of false positives and protect their web applications. Challenges The Main challenges faced were: Change in the proposed testing tools because of limitations with the developed application and tool compatibility so that the business application would not be affected in real time. Close communication with client required as the product was being tested rapidly in accordance with the end user requirements Manual testing for various high potential vulnerabilities to make sure that the Application is secure. Team management in very effective way to lead the way through to client s expectations up to the mark To add more value to the result findings, a team of experienced project managers went through the report and reviewed it for strategic analysis. The report was then presented according to the specified client template. Also areas of concern were to check the robustness, speed, fault tolerance, security, cost criteria and extensibility. As agreed in Statement of Work with client, following things done during testing: Security Testing: Information Gathering and Error Enumeration Web-Server Tests Port/Service/Version Mapping tests Protocol Based Tests Web Application Tests OS Based Tests PHP/ASP Based Tests Apache/ IIS Advance Test Vectors Authentication Tests Proprietary & Confidential Information 3

4 Flash Test DoS Attact Tests Tests on Network Devices and other IT Assets Exploitation of Found Vulnerabilities Social Engineering (Optional) Penetration Testing: Penetration testing attempts to verify that protection mechanisms built into a system will, in fact, protect it from internal and external. Security Testing Approach: o Identifies the resources needed to conduct the Security test o Explains the security test execution process o Presents the Security test schedule A proper communication channel was established between the client and its Development team to ensure that no gaps are left during the final testing. Weekly summary calls were made to ensure that ECD team is in line with the development team and Client s expectations. The test automation Security testing was achieved using automated web application vulnerability assessment & Penetration Testing tools like Acunetix, Appscan, WebInspect, Burp Suite, Nessus, Core Impact, Metasploit Pro, Qualys Guard etc., After the completion of automated testing, manual testing has been carried out by our security consultants. Application access was given by client on ECD s local test environment. A certified team of Security Consultants were deployed to identify the application vulnerabilities that could be exploited by the hacker. To arrive at the security posture the security consultants adopted the following approach: Security consultants after thoroughly understanding the customer s security requirements and concerns customized the penetration testing methodology to achieve the scope of work outlined for the project. Analysis of the banking applications was performed to arrive at the attack scenarios Proprietary & Confidential Information 4

5 Tests were executed using a combination of open source and commercial tools to ensure optimum results Web Application was scanned using tools like Acunetix, Appscan, WebInspect, Burp Suite, Nessus, Core Impact and Qualys Guard to identify potential vulnerabilities. The scan results were reviewed to identify false positives. Computer network was scanned using the tools like GFI LanGuard, Nessus and Qualys to identify potential vulnerabilities. Proof of Concepts was conducted to confirm the existence of the security issues Security consultants presented the final report to the client highlighting the areas of concern the vulnerabilities detected and suggested remediation Security Testing Benefits: Increase Customer confidence Limited threats of legal liabilities Compliance with industry best security practices. Conclusion: ECD has successfully completed the penetration tests for the web application and subsequent releases as per client requirement in a short span of time. Our clients regularly seek our support for testing their Web Applications, Mobile Applications, Servers, Computer Assets and Networks. We keep our client assets safe and reliable. Proprietary & Confidential Information 5