Security Testing for Web Applications and Network Resources. (Banking).



Similar documents
ASE STUDY. Performance Testing & Security Testing for Web Applications.

Security Testing & Load Testing for Online Document Management system

New IBM Security Scanning Software Protects Businesses From Hackers

PCI DSS Overview and Solutions. Anwar McEntee

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

Cybersecurity and internal audit. August 15, 2014

Application Security in the Software Development Lifecycle

IT Professional Standards. Information Security Discipline. Sub-discipline 605 Information Security Testing and Information Assurance Methodologies

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

NETWORK PENETRATION TESTS FOR EHR MANAGEMENT SOLUTIONS PROVIDER

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

Penetration Testing. Request for Proposal

Cisco Security Optimization Service

On Demand Penetration Testing Applications Networks Compliance.

A HELPING HAND TO PROTECT YOUR REPUTATION

How To Test For Security On A Network Without Being Hacked

Adobe ColdFusion. Secure Profile Web Application Penetration Test. July 31, Neohapsis 217 North Jefferson Street, Suite 200 Chicago, IL 60661

An Aujas White Paper MITIGATING SECURITY RISKS IN USSD-BASED MOBILE PAYMENT APPLICATIONS. By Suhas Desai

Network Penetration Testing

Defender Networking Services Company (DNSC)

Unified Cyber Security Monitoring and Management Framework By Vijay Bharti Happiest Minds, Security Services Practice

INTRODUCTION: PENETRATION TEST A BUSINESS PERSPECTIVE:

NEXPOSE ENTERPRISE METASPLOIT PRO. Effective Vulnerability Management and validation. March 2015

HackMiami Web Application Scanner 2013 PwnOff

2012 North Dakota Information Technology Security Audit Vulnerability Assessment and Penetration Testing Summary Report

Vinny Hoxha Vinny Hoxha 12/08/2009

A Network Administrator s Guide to Web App Security

PENTEST. Pentest Services. VoIP & Web.

Overview TECHIS Carry out security testing activities

PUTTING NIST GUIDELINES FOR INFORMATION SECURITY CONTINUOUS MONITORING INTO PRACTICE

Information Security Services

Background. HSBC DOD VA Masters in Computer Science Somerset Recon. Avid CTF Competitor

IT Security & Compliance. On Time. On Budget. On Demand.

Information Technology Security Review April 16, 2012

Complete Web Application Security. Phase1-Building Web Application Security into Your Development Process

AUTOMATED PENETRATION TESTING PRODUCTS

AUTOMATED PENETRATION TESTING PRODUCTS

Web App Security Audit Services

Vulnerability Management Nirvana: A Study in Predicting Exploitability

Security and Vulnerability Testing How critical it is?

Demystifying Penetration Testing for the Enterprise. Presented by Pravesh Gaonjur

IBM QRadar Security Intelligence April 2013

Are You Ready for PCI 3.1?

Integrating Security into the Application Development Process. Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis

Security within a development lifecycle. Enhancing product security through development process improvement

WHITE PAPER. An Introduction to Network- Vulnerability Testing

case study Core Security Technologies Summary Introductory Overview ORGANIZATION: PROJECT NAME:

HomeConvenience.com. Creating Trust Online CASE STUDY. Comodo Identity and Trust Assurance Suite. Content Verification Certificate.

Continuous Penetration Testing

Managing IT Security with Penetration Testing

Threat and Vulnerability Management (TVM) Protecting IT assets through a comprehensive program. Chicago IIA/ISACA

Cisco Advanced Services for Network Security

Spigit, Inc. Web Application Vulnerability Assessment/Penetration Test. Prepared By: Accuvant LABS

Hosts HARDENING WINDOWS NETWORKS TRAINING

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Mingyu Web Application Firewall (DAS- WAF) All transparent deployment for Web application gateway

A Database Security Management White Paper: Securing the Information Business Relies On. November 2004

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

ESKISP Manage security testing

NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT

Vulnerability Assessment and Penetration Testing

Agenda. Agenda. Security Testing: The Easiest Part of PCI Certification. Core Security Technologies September 6, 2007

Security-as-a-Service (Sec-aaS) Framework. Service Introduction

PCI Solution for Retail: Addressing Compliance and Security Best Practices

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

Goals. Understanding security testing

A clustering Approach for Web Vulnerabilities Detection

Penetration Testing. NTS330 Unit 1 Penetration V1.0. February 20, Juan Ortega. Juan Ortega, juaorteg@uat.edu. 1 Juan Ortega, juaorteg@uat.

Redhawk Network Security, LLC Layton Ave., Suite One, Bend, OR

Kerem Kocaer 2010/04/14

NETWORK PENETRATION TESTING

Cyber Security for SCADA/ICS Networks

G-Cloud IV Framework Service Definition Accenture Web Application Security Scanning as a Service

North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing

Maryland State Board of Elections Online Voter Services Vulnerability Assessment and Penetration Testing Report

ESKISP Conduct security testing, under supervision

CYBER SECURITY, A GROWING CIO PRIORITY

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities

Protecting your business interests through intelligent IT security services, consultancy and training

IBM Endpoint Manager for Core Protection

An Introduction to Network Vulnerability Testing

VeilMail Penetration Test Executive Summary PRESENTED TO: GREG ROAKE, CEO.TURNER TECHNOLOGIES LTD - VEILMAIL STEVE BYRNE, DIRECTOR.

locuz.com Professional Services Security Audit Services

Bottom line you must be compliant. It s the law. If you aren t compliant, you are leaving yourself open to fines, lawsuits and potentially closure.

Guide to Penetration Testing

Leveraging Privileged Identity Governance to Improve Security Posture

National Cyber League Certified Ethical Hacker (CEH) TM Syllabus

El costo oculto de las aplicaciones Vulnerables. Faustino Sanchez. WW Security Sales Enablement. IBM Canada

Patch and Vulnerability Management Program

Transcription:

2011 Security Testing for Web Applications and Network Resources (Banking). The Client, a UK based bank offering secure, online payment and banking services to its customers. The client wanted to assess the security posture of the web application, networks and all other IT assets. ECD Global Info Tech Pvt Ltd 41, Spencer's Plaza, 2nd floor old airport road, Bangalore-560017 Karnataka, India Phone : +91 80 40609604 E-Mail: info@in.ecd-global.com

Abstract The Client, a UK based bank offering secure, online payment and banking services to its customers. The client wanted to assess the security posture of the web application, networks and all other IT assets. Client Profile The Client, a UK based bank offering services to meet the needs of customers managing and moving money online. The client had planned to launch an online banking provision to make it is easy to move money to and from merchants and other customers, within a secure online environment. Background The Client is a UK based independent bank authorized and regulated by Financial Services Authority. Client had planned to offer its customers a reliable online payment and banking service. To ensure the security of the online banking portal, it was imperative for the client to make sure that the application was not easily susceptible to misuse and fraud, thus leading to loss of reputation, loss of customer trust and financial loss. Client wanted an assurance that the web application was secure, has appropriate security controls built in, before the roll out. ECD consultants performed the web application penetration testing, to identify and minimize the risk of a security breach. Business Need The client was initially approached by the company to take care of their Web Applications, Computer Networks and Other IT Assets, protect them from security threats and provide a trusted environment for conducting secure transactions through web. Since the client is Bank and deals with financial transactions, the first main concern around security & quality. Provide Data protection and customer privacy Prevent targeted fraudulent and illegal activities Protect Brand image. Proprietary & Confidential Information 2

For Security testing, the client s main concern was to identify vulnerabilities clearly and accurately, with a minimum of false positives and protect their web applications. Challenges The Main challenges faced were: Change in the proposed testing tools because of limitations with the developed application and tool compatibility so that the business application would not be affected in real time. Close communication with client required as the product was being tested rapidly in accordance with the end user requirements Manual testing for various high potential vulnerabilities to make sure that the Application is secure. Team management in very effective way to lead the way through to client s expectations up to the mark To add more value to the result findings, a team of experienced project managers went through the report and reviewed it for strategic analysis. The report was then presented according to the specified client template. Also areas of concern were to check the robustness, speed, fault tolerance, security, cost criteria and extensibility. As agreed in Statement of Work with client, following things done during testing: Security Testing: Information Gathering and Error Enumeration Web-Server Tests Port/Service/Version Mapping tests Protocol Based Tests Web Application Tests OS Based Tests PHP/ASP Based Tests Apache/ IIS Advance Test Vectors Authentication Tests Proprietary & Confidential Information 3

Flash Test DoS Attact Tests Tests on Network Devices and other IT Assets Exploitation of Found Vulnerabilities Social Engineering (Optional) Penetration Testing: Penetration testing attempts to verify that protection mechanisms built into a system will, in fact, protect it from internal and external. Security Testing Approach: o Identifies the resources needed to conduct the Security test o Explains the security test execution process o Presents the Security test schedule A proper communication channel was established between the client and its Development team to ensure that no gaps are left during the final testing. Weekly summary calls were made to ensure that ECD team is in line with the development team and Client s expectations. The test automation Security testing was achieved using automated web application vulnerability assessment & Penetration Testing tools like Acunetix, Appscan, WebInspect, Burp Suite, Nessus, Core Impact, Metasploit Pro, Qualys Guard etc., After the completion of automated testing, manual testing has been carried out by our security consultants. Application access was given by client on ECD s local test environment. A certified team of Security Consultants were deployed to identify the application vulnerabilities that could be exploited by the hacker. To arrive at the security posture the security consultants adopted the following approach: Security consultants after thoroughly understanding the customer s security requirements and concerns customized the penetration testing methodology to achieve the scope of work outlined for the project. Analysis of the banking applications was performed to arrive at the attack scenarios Proprietary & Confidential Information 4

Tests were executed using a combination of open source and commercial tools to ensure optimum results Web Application was scanned using tools like Acunetix, Appscan, WebInspect, Burp Suite, Nessus, Core Impact and Qualys Guard to identify potential vulnerabilities. The scan results were reviewed to identify false positives. Computer network was scanned using the tools like GFI LanGuard, Nessus and Qualys to identify potential vulnerabilities. Proof of Concepts was conducted to confirm the existence of the security issues Security consultants presented the final report to the client highlighting the areas of concern the vulnerabilities detected and suggested remediation Security Testing Benefits: Increase Customer confidence Limited threats of legal liabilities Compliance with industry best security practices. Conclusion: ECD has successfully completed the penetration tests for the web application and subsequent releases as per client requirement in a short span of time. Our clients regularly seek our support for testing their Web Applications, Mobile Applications, Servers, Computer Assets and Networks. We keep our client assets safe and reliable. Proprietary & Confidential Information 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information