In the digital era, financial institutions serve an increasing number of customers through web and mobile applications. Fintech maintains online security, and OWASP offers pieces of the puzzle to address the challenges. We CAN solve these challenges by leveraging the OWASP community knowledge base to secure the financial sector. 

On May 21st, 2020, I had the honor to dive into these challenges from multiple perspectives with my two guests, Vandana Verma and Victor Gartvich. We discussed how OWASP plays an integral role and how Wallarm, one of the prominent application security solutions providers, navigates the landscape. We shared some collective knowledge and recommendations for the financial sector.

With a focus on Fintech, we covered a lot around OWASP Top 10 and related projects. Vandana shared the modern Fintech cyber threats and resources OWASP offers. We talked about potential solutions, including some detail about the solution Wallarm offers and how Wallarm’s next-gen WAF works. We concluded the session with a small product demo and Q&A. 

We began with WHY

We started our discussion with “WHY.” Over the years, some of the biggest data breaches have involved financial service providers, from banks and payment processing companies to loan providers and credit reporting bureaus. We illustrated this with a few examples: 

  • One of the most famous Equifax data breaches was caused by an unpatched Apache Struts vulnerability and led to the compromise of 143M accounts in the US and 400K accounts in the UK.
  • Capital One data breach where a software engineer in Seattle hacked into a server holding customer information for Capital One and obtained the personal data of over 100 million people.
  • In 2005, 3.9 million U.S. customers’ personal data had been lost.
  • In 2008, Heartland Payment Systems reported that their systems had been hacked. The attack affected around 130 million customers and multiple credit card types. According to ComputerWorld, the company spent around $140 million to deal with the massive breach: $60 million to settle with Visa, $3.5 million to settle with American Express, and legal fees amounting to at least $26 million. In addition, $42.8 million was earmarked for potential settlements and litigation.
  • Likewise, in 2014, JPMorgan Chase, the largest U.S. bank, reported a data breach that affected 7 million small businesses and 76 million households.
  • Whether it is big financial institutions or small-medium sized Fintech organizations, most financial organizations are at risk.

What are hackers looking for in Fintech? 

The financial services sector handles sensitive information about individuals and enterprises. With the digital transformation, data pervasiveness and data security are proving to be a major challenge for fintech. As we move toward online, phone, and other banking services, enterprises are able to gather tremendous amounts of data about customers and visitors.

The protection of this data and allowing access to this data in a secure manner are the biggest challenges faced by Fintech companies. Of course, malicious actors are coming for money.

Hidden Fintech Cyber Challenges 2020

Vandana Shared some of the hidden challenges for the fastest-growing emerging industry, including:

  • Applications Security Risk (Common Application vulnerabilities)
  • Web server security hardening
  • Misconfigurations or privacy issues
  • API security issues
  • Outdated third-party software
  • Compliance concerns
  • Data Integrity Risks (mobile applications security)
  • Digital Identity Risks Cloud-Based Security Risks 

How shall we address these challenges – The OWASP Way – Resources and Tools 

In Vandana’s words, even before initiating the development process, one needs to design the architecture to make sure that the security aspects are met.

First Step: Architecting the features or the Application

Requirements Gathering

Vandana shared two OWASP projects that aid with requirements gathering: 

  1. OWASP Amass

The OWASP Amass Project performs network mapping of attack surfaces and external asset discovery using open source information gathering and active reconnaissance techniques.

  1. OWASP Cornucopia

OWASP Cornucopia is a mechanism in the form of a card game to assist software development teams in identifying security requirements in Agile, conventional, and formal development processes. It is language, platform, and technology agnostic.

Threat Modeling

OWASP Threat Dragon

OWASP Threat Dragon is a tool used to create threat model diagrams 

and to record possible threats and decide on their mitigations.

Code Review

Once the coding is completed, there should be mandatory reviews conducted ensuring no security loopholes exist in the code. The review process can be automated using code review tools. Reviewing every line of the code might sound tedious or impossible. 

There should be mechanisms to help teams to work collaboratively. They should be able to identify the bugs at the earliest stage, reproduce them efficiently, fix them, and prepare for a retest. 

Working in a DevOps setup ensures that this happens seamlessly. It provides a holistic view of the entire software delivery chain or the product life cycle and takes into account shared services. This facilitates continuous development, integration, and delivery inherently, thereby building a quality product.

A balance between convenience in development or usage and security needs to be maintained. There are a couple of OWASP tools available for code review:

  1. Code Review Checklist

Guide for the security issues in the code and recommendations on how to fix them.

  1. OWASP Code Pulse

The OWASP Code Pulse Project is a tool that provides insight into the real-time code coverage of black-box testing activities.

It is a cross-platform desktop application that runs on most major platforms.

Software Component Analysis

OWASP Dependency-Check

Dependency-Check is a Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project’s dependencies.

OWASP Dependency Track

Dependency-Track is an intelligent supply chain component analysis platform that allows organizations to identify and reduce risk from the use of third-party and open source components.

Vulnerability testing on web applications

OWASP Top 10 

The OWASP Top 10 is the reference standard for the most 

critical web application security risks.

OWASP ZAP

OWASP ZAP is an open-source web application security scanner. 

It is intended to be used by those new to application security 

as well as professional penetration testers.

Vulnerability Testing on Mobile applications

OWASP Mobile Top 10 

The Mobile Top 10 is the reference standard for the most critical 

mobile application security risks.

Vulnerability Testing on API’s

OWASP API Security Project

This project is designed to address the ever-increasing number of organizations that deploy potentially sensitive APIs as part of their software offerings.

Defect Tracking

OWASP DefectDojo

DefectDojo is a security program and vulnerability management tool that allows users to manage their application security program, maintain product and application information, schedule scans, triage vulnerabilities, and push findings into defect trackers. Consolidate findings into one source of truth with DefectDojo.

Proactive Controls

OWASP Enterprise Security API (ESAPI)

ESAPI (The OWASP Enterprise Security API) is a free, open-source, web application security control library that makes it easier for programmers to write lower-risk applications.

OWASP ModSecurity Core Rule Set

The CRS aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts. 

OWASP CSRFGuard

This is a list of security techniques that should be included in every software development project.

Training

OWASP Mutillidae

OWASP Webgoat

OWASP Security Shepherd

OWASP DevSlop 

OWASP Juice Shop

Awareness

OWASP Web security testing guide

The Web Security Testing Guide (WSTG) Project produces the premier cybersecurity testing resource for web application developers and security professionals.

OWASP Application Security Verification Standard

ASVS Project provides a basis for testing web application technical security controls and provides developers with a list of requirements for secure development.

OWASP Automated Threats to Web Applications 

It helps organizations better understand and respond to the notable worldwide increase of automated threats from bots.

Mobile Application Security Verification Standard

Mobile ASVS Project provides a basis for testing mobile application technical security controls and provides developers with a list of requirements for secure development.

Mobile security testing guide

The MSTG is a comprehensive manual for mobile app security testing and reverse-engineering for iOS and Android mobile security testers 

OWASP Top 10 Privacy Risks

Top 10 list for privacy risks in web applications and related countermeasures

Knowledge Management

OWASP Application Security Verification Standard

ASVS Project provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development.

OWASP Security Knowledge Framework

SKF is an open-source security knowledge base, including manageable projects with checklists and best practice code examples in multiple programming languages, showing you how to prevent hackers from gaining access and running exploits on your application.

OWASP Snakes And Ladders

Snakes and Ladders is an educational project. It uses gamification to promote awareness of application security controls and risks, in particular knowledge of other OWASP documents and tools.

Conclusion:

The talk shares the skeleton which can be used for resolving the concerns teams in the industry face and kick-starting the AppSec Program, from requirements gathering to application testing to training the developers and security teams. The structure can be taken as a starting point and an information security program can be built on top of it for the organization’s use.  

Youtube Recording Link: https://youtu.be/OaJm_SeI9bE