The document provides tips for testing the security of banking applications and frameworks. It suggests focusing on business logic flaws, such as manipulating functions to perform unintended tasks or bypass intended flows. Other tips include exploiting flaws in validation routines, manipulating currency values, and "outwitting" developers by finding ways to upload malicious files that may be executed by administrators. The goal is to identify vulnerabilities in these applications, as many offshore development teams and banks still have limited security knowledge.
Breaking the bank : how to really test/annoy financial institutionsSensePost
Presentation by Daniel Cuthbert at ZaCon 2 in 2010.
This presentation is about how to test banking applications/frameworks. The presentation begins with a brief overview of the security level of banking frameworks. Business logic and financial regulation flaws are discussed, how to use these flaws to test a framework are also discussed.
Breaking the bank : how to really test/annoy financial institutionsSensePost
Presentation by Daniel Cuthbert at ZaCon 2 in 2010.
This presentation is about how to test banking applications/frameworks. The presentation begins with a brief overview of the security level of banking frameworks. Business logic and financial regulation flaws are discussed, how to use these flaws to test a framework are also discussed.
Discussion on how to deliver vulnerability management at scale.
Why Fullstack vulnerability management is important and silos of security are an issue. The pitfalls when delivering 1000's of assessments on a continuous basis. How edgescan delivers vulnerability intelligence.
Hide and seek - Attack Surface Management and continuous assessment.Eoin Keary
Attack surface management and visibility is key to maintaining a robust cyber security posture. Continuous assessment, accuracy and scale are key to enterprise security.
Fixing security by fixing software developmentNick Galbreath
Fixing Security by Fixing Software Development Using Continuous Deployment
Do you have an effective release cycle? Is your process long and archaic? Long release cycle are typically based on assumptions we haven't seen since the 1980s and require very mature organizations to implement successfully. They can also disenfranchise developers from caring or even knowing about security or operational issues. Attend this session to learn more about an alternative approach to managing deployments through Continuous Deployment, otherwise known as Continuous Delivery. Find out how small, but frequent changes to the production environment can transform an organization’s development process to truly integrate security. Learn how to get started with continuous deployment and what tools and process are needed to make implementation within your organization a (security) success.
Discussion on how to deliver vulnerability management at scale.
Why Fullstack vulnerability management is important and silos of security are an issue. The pitfalls when delivering 1000's of assessments on a continuous basis. How edgescan delivers vulnerability intelligence.
Hide and seek - Attack Surface Management and continuous assessment.Eoin Keary
Attack surface management and visibility is key to maintaining a robust cyber security posture. Continuous assessment, accuracy and scale are key to enterprise security.
Fixing security by fixing software developmentNick Galbreath
Fixing Security by Fixing Software Development Using Continuous Deployment
Do you have an effective release cycle? Is your process long and archaic? Long release cycle are typically based on assumptions we haven't seen since the 1980s and require very mature organizations to implement successfully. They can also disenfranchise developers from caring or even knowing about security or operational issues. Attend this session to learn more about an alternative approach to managing deployments through Continuous Deployment, otherwise known as Continuous Delivery. Find out how small, but frequent changes to the production environment can transform an organization’s development process to truly integrate security. Learn how to get started with continuous deployment and what tools and process are needed to make implementation within your organization a (security) success.
My talk at CodeFest 2017 in Novosibirsk, Russia. I talk about the benefits of adding a app crawler to your build process. In todays Agile world it's becoming difficult to keep up with the amount of manual and exploratory testing with shorter and shorter sprint iterations. It's time to put machines to work and help take some of the load off of us!
Some security experts would tell you that security testing is very different from functional or non-functional software testing. They are wrong. Having worked on both sides, Paco gives 3 specific recommendations for how testers can make significant contributions to the security of their software and applications by making small changes to the way they do their software testing. The first technique has to do with selecting points in the user journey that are ripe for security testing. The second is to leverage some common free tools that enable security tests. The final technique is adjusting old school boundary value testing and equivalence class partitioning to incorporate security tests. The result is a lot of security testing done and issues fixed long before any security specialists arrive.
Key Takeaways:
-Great places in the user journey to inject security tests
- Ways to augment existing test approaches to cover security concerns
- Typical security tools that are free, cheap, and easy for software testers
Owasp top 10 web application security hazards - Part 1Abhinav Sejpal
Mission :- Understand / Learn / Practice OWASP Web Security Vulnerabilities https://www.owasp.org/index.php/Top102013-Top_10 In this session, Attendees will perform hands-on exercises to get a better understanding of the OWASP top ten security threats.
Security as a New Metric for Your Business, Product and Development Lifecycle...IT Arena
Lviv IT Arena is a conference specially designed for programmers, designers, developers, top managers, inverstors, entrepreneur and startuppers. Annually it takes place on 2-4 of October in Lviv at the Arena Lviv stadium. In 2015 conference gathered more than 1400 participants and over 100 speakers from companies like Facebook. FitBit, Mail.ru, HP, Epson and IBM. More details about conference at itarene.lviv.ua.
Security engineering 101 when good design & security work togetherWendy Knox Everette
Security concerns are often dealt with as an afterthought—the focus is on building a product, and then security features or compensating controls are thrown in after the product is nearly ready to launch. Why do so many development teams take this approach? For one, they may not have an application security team to advise them. Or the security team may be seen as a roadblock, insisting on things that make the product less user friendly, or in tension with performance goals or other business demands. But security doesn’t need to be a bolt-on in your software process; good design principles should go hand in hand with a strong security stance. What does your engineering team need to know to begin designing safer, more robust software from the get-go?
Drawing on experience working in application security with companies of various sizes and maturity levels, Wendy Knox Everette focuses on several core principles and provides some resources for you to do more of a deep dive into various topics. Wendy begins by walking you through the design phase, covering the concerns you should pay attention to when you’re beginning work on a new feature or system: encapsulation, access control, building for observability, and preventing LangSec-style parsing issues. This is also the best place to perform an initial threat model, which sounds like a big scary undertaking but is really just looking at the moving pieces of this application and thinking about who might use them in unexpected ways, and why.
She then turns to security during the development phase. At this point, the focus is on enforcing secure defaults, using standard encryption libraries, protecting from malicious injection, insecure deserialization, and other common security issues. You’ll learn what secure configurations to enable, what monitoring and alerting to put in place, how to test your code, and how to update your application, especially any third-party dependencies.
Now that the software is being used by customers, are you done? Not really. It’s important to incorporate information about how customers interact as well as any security incidents back into your design considerations for the next version. This is the time to dust off the initial threat model and update it, incorporating everything you learned along the way.
2. Who the hell am I?
! One of the original OWASP members from back in the day.
! Started the OWASP Testing Guide.
! Security old fart.
3. What the hell am I on about?
! Banking applications and frameworks are a pleasure to test.
! They often have many vulnerabilities lurking beneath the
surface.
! Not many testers know how to wrangle the frameworks to get
what they want.
! It makes you look great compared to other testers.
4.
5. Quick background lesson
! Banking frameworks aren’t as confusing as you’d think.
! Often only a handful of frameworks in use globally.
! JAVA and .NET only (no-one really uses PHP, admit it!)
! SAP/IBM/FLEXCUBE (Oracle Financial Services) are the popular choice.
! Developed off-shore and customised in-house by dev teams onsite.
6.
7. Overall security
! Most modern banking frameworks are relatively secure.
! Don’t expect Grossmann style attacks (a.k.a the net is falling,
aaaaaaaah).
! They have large development teams and sexier budgets to fix
issues.
! They’ve been tested heavily by many of the best for years.
8. So shall I give up now?
! Have faith. Most big development teams still have little, or none,
knowledge about secure coding.
! Off-shore development is 5 years behind the west.
! There are loads of vulnerabilities still to be found.
9. Information gathering
! You need to have all the information before any testing starts.
! Understand regulatory requirements for market/application.
! Understand what Banking Standards are required for app.
! Obtain functional spec for all applications/frameworks to be
tested.
10. The goods
! Business logic flaws.
! Compliancy and financial regulation flaws.
! Bypassing validation routines.
! Outwitting the developer.
11. Business logic flaws
! Most frameworks have logic flaws introduced during the
development phase.
! Logic flaws require you to fully understand the application and
function.
! They could be anywhere in the application, from authentication
to validation.
12. Business logic flaws are:
! Legitimate requests with legitimate values.
! The ability to abuse a function to perform a task it was not
meant to perform.
! The ability to bypass, or circumvent, the intended flow of an
application.
13.
14. Authentication business logic flaw
! Banking app has 2-stage authentication:
! first page prompts for userID/pass and passcode (4-6 digit)
! second page asks for 3 random chars of memorable word.
! This is ripe for a logic flaw attack.
15. Authentication business logic flaw
! Enter a valid username and password combo and press enter, the
2nd phase always asks for the same 3 random chars. (good
practice).
! Enter a valid username and incorrect password and press enter
(don’t add any memorable info from drop-down). The app asks for
different chars from the memorable password.
! We can now determine when a valid password combo has been
entered by the behavior of the 2nd-phase page.
16. Business logic flaws
! Use and Abuse cases are your friend:
! how can an attacker subvert this function?
! what are the maximum amounts allowed?
! can the amount be a negative amount?
! can you manipulate source and destination accounts?
17. Compliancy and financial regulation flaws
! Banking apps are strictly controlled by various financial laws.
! These laws protect the consumer from being ripped off.
! Testing for these flaws requires knowledge of how .net/JAVA
handles monetary values.
! NaN/Infinity and Exponential Notation are your friend.
18. Rounding errors
! Float and double data types are based on IEEE754.
! This standard acknowledges shortcomings relating to rounding
errors.
! System.out.println(3.00 - 1.10);
! result is actually 1.89999999999999999
19. Bypassing validation routines
! The use of Nan/Infinity and exponential notation is key to bypassing
validation routines.
! App has regulatory requirement to only allow a transaction under 10,000 per
day. Validation checks input amount for <6 characters. Anything more is
denied.
! What about 9E1 or 0.99E+6 (all valid)
! Test all listed reserved words in numeric fields!
20.
21. Currency manipulation
! Currency functions are easy to manipulate:
! often they obtain the value at the start of the function.
! change the value to see if it’s accepted. also change currency
value.
! bypass currency restrictions using exponential notation.
22. Outwitting the developer
! Most developers dabble with security but often don’t fully
understand implications.
! Retail banking applications have functions to allow customers to
contact bank staff. Often these allow uploads (strictly
controlled).
! I’ve yet to see any upload function checking content. This is ripe
for abuse.
23. Malicious uploads
! Create malicious PDF. (use Metasploit, any Adobe vuln is
useful).
! Log into banking app and contact administrators, attach PDF and
send.
! Sit and wait for admin to launch PDF (which has been cleared by
the framework)
! Control admin workstation.
24. Conclusion
! Get as much information about the app/platform as possible.
! Be methodical.
! Think ‘how can this be subverted?’
! Dare for more.