While providing consultancy on cyber security, I am often asked a question by bank’s senior IT management —
- Why our application VAPT should be different than any other application VAPT?
- Isn’t it just a web app after all? I really wish if that was true, but it is not.
It is a misconstrued notion in banking and finance industry that all web or mobile applications are more of less the same, when it comes to securing the application from hackers. It is however true if we are talking only about the functionality of application. For example – the basic crux of core banking, loan request management or one touch mobile banking is pretty much the same. What differs is the technical architecture and the actual implementation and this is where the game plan changes while considering the application’s cyber security strength, which is imperative to the data privacy of bank’s customers. Besides mere OWASP Top 10 security testing, there are multiple areas one need to think of, to devise the strategy for a correct vulnerability assessment testing.
Bank's application security is an art, beyond just the competency
With the premise set above, lets look at a net-banking application. Typically it is supposed to be open to internet so that customers can access it. It also must be deployed with an SSL digital certificate to ensure end to end encryption. It is often found that the security implementation pretty much stops here. With some agility in the bank’s IT management, a regular vulnerability assessment and penetration testing (VAPT) is conducted. The VAPT vendor is always an IT company knowing a lot about OWASP Top 10 and typically knowing a little about how application exactly works. Due to this knowledge gap, the required level of security testing and the provided level of actual testing are on different planes, resulting into gaps which can eventually be very daunting to deal with. This can further result into serious security loopholes, and not serving the intended purpose of the penetration testing.
For example – the net-banking application may be using OTP (one time password), or a captcha or a totally different way of 2 Factor authentication. Each of these features can be achieved by at least 5 different implementation ways each, and then each of those could be hacked with at least 5 different ways of attacks each. The pivot on which the strategy depends upon is technical experience in the given domain knowledge and hence it is not a child’s play unfortunately, wherein some automated tool can be run to achieve results, it scales way beyond that. Come to think of it, if simply running a vulnerability assessment tool against a net banking application was enough, it would mean anyone who can run the tool can hack in to the application. This is not true because tools cannot replace humans.
6 Point Checklist to extend your thought process beyond the cliché
While there cannot be a laundry list of points to consider, a quick set of bullets below can be a good start before approaching a VAPT vendor. See if the vendor selection process includes these checks.
- Domain knowledge in banking and finance
- Detailed knowledge of RBI / SEBI guidelines
- Demonstrable experience in performing security testing in BFSI
- Compliance with RBI and SEBI technical expectations in the testing report
- Great focus on manual testing as opposed to tool based
- Agile and technically driven team besides merely the certified team
Besides above list, the senior IT management must know how hackers think when they want to hack into a bank’s system and holistically think about security implementation. It is imperative to understand that cyber security is never 100%, because it is a continuous improvement process. To know more about technical details, please check here www.valencynetworks.com.
More Relevant Links Below