In the digital era, financial institutions serve an increasing number of customers through web and mobile applications. Fintech maintains online security, and OWASP offers pieces of the puzzle to address the challenges. We CAN solve these challenges by leveraging the OWASP community knowledge base to secure the financial sector.
On May 21st, 2020, I had the honor to dive into these challenges from multiple perspectives with my two guests, Vandana Verma and Victor Gartvich. We discussed how OWASP plays an integral role and how Wallarm, one of the prominent application security solutions providers, navigates the landscape. We shared some collective knowledge and recommendations for the financial sector.
With a focus on Fintech, we covered a lot around OWASP Top 10 and related projects. Vandana shared the modern Fintech cyber threats and resources OWASP offers. We talked about potential solutions, including some detail about the solution Wallarm offers and how Wallarm’s next-gen WAF works. We concluded the session with a small product demo and Q&A.
We began with WHY
We started our discussion with “WHY.” Over the years, some of the biggest data breaches have involved financial service providers, from banks and payment processing companies to loan providers and credit reporting bureaus. We illustrated this with a few examples:
- One of the most famous Equifax data breaches was caused by an unpatched Apache Struts vulnerability and led to the compromise of 143M accounts in the US and 400K accounts in the UK.
- Capital One data breach where a software engineer in Seattle hacked into a server holding customer information for Capital One and obtained the personal data of over 100 million people.
- In 2005, 3.9 million U.S. customers’ personal data had been lost.
- In 2008, Heartland Payment Systems reported that their systems had been hacked. The attack affected around 130 million customers and multiple credit card types. According to ComputerWorld, the company spent around $140 million to deal with the massive breach: $60 million to settle with Visa, $3.5 million to settle with American Express, and legal fees amounting to at least $26 million. In addition, $42.8 million was earmarked for potential settlements and litigation.
- Likewise, in 2014, JPMorgan Chase, the largest U.S. bank, reported a data breach that affected 7 million small businesses and 76 million households.
- Whether it is big financial institutions or small-medium sized Fintech organizations, most financial organizations are at risk.
What are hackers looking for in Fintech?
The financial services sector handles sensitive information about individuals and enterprises. With the digital transformation, data pervasiveness and data security are proving to be a major challenge for fintech. As we move toward online, phone, and other banking services, enterprises are able to gather tremendous amounts of data about customers and visitors.
The protection of this data and allowing access to this data in a secure manner are the biggest challenges faced by Fintech companies. Of course, malicious actors are coming for money.
Hidden Fintech Cyber Challenges 2020
Vandana Shared some of the hidden challenges for the fastest-growing emerging industry, including:
- Applications Security Risk (Common Application vulnerabilities)
- Web server security hardening
- Misconfigurations or privacy issues
- API security issues
- Outdated third-party software
- Compliance concerns
- Data Integrity Risks (mobile applications security)
- Digital Identity Risks Cloud-Based Security Risks
How shall we address these challenges – The OWASP Way – Resources and Tools
In Vandana’s words, even before initiating the development process, one needs to design the architecture to make sure that the security aspects are met.
First Step: Architecting the features or the Application
Requirements Gathering
Vandana shared two OWASP projects that aid with requirements gathering:
The OWASP Amass Project performs network mapping of attack surfaces and external asset discovery using open source information gathering and active reconnaissance techniques.
OWASP Cornucopia is a mechanism in the form of a card game to assist software development teams in identifying security requirements in Agile, conventional, and formal development processes. It is language, platform, and technology agnostic.
OWASP Threat Dragon is a tool used to create threat model diagrams
and to record possible threats and decide on their mitigations.
Code Review
Once the coding is completed, there should be mandatory reviews conducted ensuring no security loopholes exist in the code. The review process can be automated using code review tools. Reviewing every line of the code might sound tedious or impossible.
There should be mechanisms to help teams to work collaboratively. They should be able to identify the bugs at the earliest stage, reproduce them efficiently, fix them, and prepare for a retest.
Working in a DevOps setup ensures that this happens seamlessly. It provides a holistic view of the entire software delivery chain or the product life cycle and takes into account shared services. This facilitates continuous development, integration, and delivery inherently, thereby building a quality product.
A balance between convenience in development or usage and security needs to be maintained. There are a couple of OWASP tools available for code review:
- Code Review Checklist
Guide for the security issues in the code and recommendations on how to fix them.
- OWASP Code Pulse
The OWASP Code Pulse Project is a tool that provides insight into the real-time code coverage of black-box testing activities.
It is a cross-platform desktop application that runs on most major platforms.
Software Component Analysis
Dependency-Check is a Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project’s dependencies.
Dependency-Track is an intelligent supply chain component analysis platform that allows organizations to identify and reduce risk from the use of third-party and open source components.
Vulnerability testing on web applications
The OWASP Top 10 is the reference standard for the most
critical web application security risks.
OWASP ZAP is an open-source web application security scanner.
It is intended to be used by those new to application security
as well as professional penetration testers.
Vulnerability Testing on Mobile applications
The Mobile Top 10 is the reference standard for the most critical
mobile application security risks.
Vulnerability Testing on API’s
This project is designed to address the ever-increasing number of organizations that deploy potentially sensitive APIs as part of their software offerings.
Defect Tracking
DefectDojo is a security program and vulnerability management tool that allows users to manage their application security program, maintain product and application information, schedule scans, triage vulnerabilities, and push findings into defect trackers. Consolidate findings into one source of truth with DefectDojo.
Proactive Controls
OWASP Enterprise Security API (ESAPI)
ESAPI (The OWASP Enterprise Security API) is a free, open-source, web application security control library that makes it easier for programmers to write lower-risk applications.
OWASP ModSecurity Core Rule Set
The CRS aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts.
This is a list of security techniques that should be included in every software development project.
Training
OWASP Mutillidae
OWASP Webgoat
OWASP Security Shepherd
OWASP DevSlop
OWASP Juice Shop
Awareness
OWASP Web security testing guide
The Web Security Testing Guide (WSTG) Project produces the premier cybersecurity testing resource for web application developers and security professionals.
OWASP Application Security Verification Standard
ASVS Project provides a basis for testing web application technical security controls and provides developers with a list of requirements for secure development.
OWASP Automated Threats to Web Applications
It helps organizations better understand and respond to the notable worldwide increase of automated threats from bots.
Mobile Application Security Verification Standard
Mobile ASVS Project provides a basis for testing mobile application technical security controls and provides developers with a list of requirements for secure development.
Mobile security testing guide
The MSTG is a comprehensive manual for mobile app security testing and reverse-engineering for iOS and Android mobile security testers
Top 10 list for privacy risks in web applications and related countermeasures
Knowledge Management
OWASP Application Security Verification Standard
ASVS Project provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development.
OWASP Security Knowledge Framework
SKF is an open-source security knowledge base, including manageable projects with checklists and best practice code examples in multiple programming languages, showing you how to prevent hackers from gaining access and running exploits on your application.
OWASP Snakes And Ladders
Snakes and Ladders is an educational project. It uses gamification to promote awareness of application security controls and risks, in particular knowledge of other OWASP documents and tools.
Conclusion:
The talk shares the skeleton which can be used for resolving the concerns teams in the industry face and kick-starting the AppSec Program, from requirements gathering to application testing to training the developers and security teams. The structure can be taken as a starting point and an information security program can be built on top of it for the organization’s use.
Youtube Recording Link: https://youtu.be/OaJm_SeI9bE
