How can Security Testing strengthen Banks against cyber threats?Cigniti Technologies
Listen on the go!
Recently, WestPac made news when the customers blasted the bank for not being able to access their accounts almost for three days. The mobile and online banking services of the bank had got hit by a technical glitch, disrupting the weekend plans of thousands of Australians and much more. How can banks equip themselves proactively to deal with such situations?
The recent Kaspersky Lab Report 2017 on ‘Analyzing the state of IT Security in financial sector’ estimates that ‘The average loss per incident for a consumer suffering from financial fraud is $1,446, rising to $10,312 for business customers.’
The report that was published post a global study in association with B2B International involved 841 business representatives from financial services sector of about 15 countries. It is quite an eye-opener not only for the financial service sector, but also for the software development and testing folks. It further states that ‘59% of banks expect financial fraud losses to increase over the next three years, demonstrating the need for more robust and effective security solutions to be put in place.’
The findings of the report reinforce that it is important to check the application for performance and usability, but much more critical is the security aspect. Fraud is an expensive affair and will cost millions of dollars for banks. It is appalling to know that 7/10 banks have been affected by financial fraud. It is not just about the bucks, it comes down to the reputation of the financial institution.
That’s scary and difficult to revive!
The customers are the most important and most vulnerable link in the IT security. So, banks tutor customers into using security software for their devices, and constantly communicate with them to bring down the online frauds. As the referred report suggests, an accident involving a bank’s online banking services costs the organization USD 1,754,000 on average – that`s double the price of recovering from a malware incident, costing USD 825,000 on average.
The Digital Banking Report 2017 states that almost 70% of financial institutions give utmost importance to enhancing customer experience and it predominates their strategic priorities in 2017. Given a thought, Performance and experience is critical for success, but security brings sustainability to the business. Cyber Security threats will continue to hit the financial services sector, but spicing up the security testing strategy and building guards can make the industry players resilient.
According to the recent report on 2017 Retail Banking Trends and Predictions, ‘Large regional banks, community banks and credit unions ranked security and authentication as a top 3 priority roughly 18% of the time, while large national banks indicated this as a top 3 priority 10% less often (8%).’
Typical traits of a Banking application
A financial/banking application is multi-tier with various functionalities, engaging concurrent users. So, the banking application has to integrate with numerous other applications to enable a payment gateway. Transactions happen in real-time and the rate of transactions per second are very high.
Moreover, the banking sector requires robust reporting to keep a tab on, and record every minute transaction and user interaction. There is a requirement for a massive storage system, which must be secure and accessible all the time. Disaster Management/Risk Management is key to sustain in the volatile market.
Application Security Testing (AST) tools address three different problem areas:
- Static Analysis tools – These tools scrutinize patterns and detect vulnerabilities in the source code to send an alert to the developer.
- Dynamic Analysis tools – These tools pull the regular (commonly known) strikes on the application/software to check for vulnerabilities.
- Interactive Analysis tools – These use the code library over a particular time slot to create an updated version of the software/application. This is then used to detect any particular behavior or vulnerability.
Some key best practices considered during Application Security Testing (AST)
- Check for unexpected behavior/patterns
Testing if the code works in the most common way might not be good enough. You need to create situations and pressures that can be most unexpected for the application. This will help exploit every aspect of the application and expose its vulnerabilities. Only then the application gets tested for the worse. Moreover, it will help identify hidden bugs and defects that any potential hacker can leverage to get through your data.
- Get your API tested or any external interface
APIs and multiple other public interfaces are introduced within an application to offer extended services to the user and enhance experience. However, these external interfaces can be hacked and information could get leaked. It just makes the application more prone to threats. So, tests like API Security Testing should be a mandate in your software testing strategy.
- Test the environment where the application gets deployed
Anticipating errors, defects, bugs, and scenarios across the deployment field is absolutely critical. For instance, if your application is being deployed on the server, check the server for any possible configuration issues or open ports. This will ensure that sensitive information is not touched and the application runs smoothly despite pressure.
Moreover, it could also help to run breach simulation exercises during security testing to identify high-priority vulnerabilities.
Even Data Loss Prevention (DLP) strategies can be implemented at the enterprise level to ensure that end users do not share sensitive information outside the defined corporate network. In this way, the network administrator controls the flow of information. DLP software products set business rules to segment the information by its criticality and intensity of risk for the organization.
Digital Transformation, achieving digital customer experience, improving workflows, leveraging Data Analytics, and cutting down operational costs are some of the major challenges that the banking and financial sector faces today. While it is important to simplify the banking activity for the user, it is equally critical to ensure secure online transactions and safe banking measures.
With reference to ensuring customer experience and simplicity of process, Deloitte states that “Organizations can begin their journey by starting to invest in non-password-based authentication solutions now as part of their digital transformation efforts, such as the rapid adoption of software-as-a-service platforms and omnichannel customer engagement initiatives. These new solution areas can serve as the foundation for broader enterprise authentication initiatives, which may take time.”
Cigniti’s Web application penetration testing uncovers vulnerabilities in applications and ensures that the application risks are minimized. We have a dedicated Security Testing Center of Excellence (TCoE) that has developed methodologies, processes, templates, checklists, and guidelines for web applications, software products, networks, and cloud.
Connect with us to build an application that can sustain through the turmoil in the digital sphere.
Cigniti is a Global Leader in Independent Quality Engineering & Software Testing Services with offices in US, UK, India, Australia, and Canada.