Lionel Briand, profile picture
Uploaded byLionel Briand
577 views

Secure and Compliant Data Management in FinTech Applications

FinTech applications handle sensitive user data and must ensure secure data management and compliance with regulations to avoid breaches. Automated techniques are needed to help with compliance analysis, security testing, and auditing given the complexity and resources required. These include machine-interpretable models of standards, automated testing of applications and protocols, run-time monitoring, and machine learning to predict vulnerabilities. Such techniques can help scale assurance efforts for secure data management in FinTech.

Embed presentation

Downloaded 28 times
.lusoftware verification & validation VVS Secure and Compliant Data Management in FinTech Applications Prof. Lionel Briand, FNR PEARL Chair UL 3X3 FinTech lecture series, February 10th, 2017
FinTech @ SnT Centre • SnT: Luxembourg’s center on ICT Security, reliability and Trust • > 260 staff members • 31 partners • FinTech: One of SnT’s priorities • Increasing momentum: 5 FinTech partners, 7 projects, 2 laboratories 2 Alphonse Weicker Foundation
Software Verification and Validation @ SnT 3 • Group established in 2012 (FNR PEARL) • Focus: Ensuring reliability and security of IT systems through automated, cost-effective V&V solutions, e.g., testing • ERC Advanced Grant • ~ 25 staff members • Industry partnerships
Objectives • Create awareness about the challenges and solutions for ensuring secure and compliant data management in FinTech applications • Motivate the need for research and innovation • Non-technical presentation • Not meant to be a complete treatment of the subject matter 4
FinTech
6 Not Just about the B Word
FinTech: State of Play • $14.5 billion globally in venture capital in 2015, from $7.3 billion in 2014 • FinTech companies are proliferating • Wide range of solutions that promise to impact nearly everyone • Dramatically broaden the reach, flexibility, and level of innovation of financial services • Key challenge: Cybersecurity • Risks: Financial losses, undermine confidence, lower adoption 7
Cybersecurity: Risk Factors • “All that matters is to get to market fast” mentality • Growing mismatch between technology and regulations • Dilemma: Consumer protection versus the agility of the innovation ecosystem 8
Cybersecurity: Risk Factors • Reliance on machine learning and big data complicates the picture regarding cybersecurity – unintended biases in system behavior • Many new “customers” with little knowledge of security risks • More interfaces between traditional financial services and FinTech applications 9
Did I manage to worry you? 10
How Secure is our Data?
12
JPMorgan Chase Data Breach (2014) 13 • Compromised over 83 million accounts - 76 million households and 7 million small businesses • Also, targeted 9 other major financial institutions alongside JPMorgan Chase
UK’s Tesco Bank Hack in Nov 2016 14 • Biggest cyber attack in the history of British banking • £2.5 million stolen from accounts of 9000 customers • Approximately 40,000 Tesco Bank accounts were compromised • The fine could be as much as £2 billion pounds under the GDPR rules.
Some Statistics about Cybersecurity 15 Source: IBM Security - data from worldwide organisations having between 1,000 and 5,000 employees Incident rates by industries
Financial Impact of Data Breaches 16 • Study of 383 companies in 12 countries • $4 million is the average total cost of a data breach • 29% increase in total cost of data breach since 2013 • $158 is the average cost per lost or stolen record • 15% increase in per capita cost since 2013
Are FinTech Applications Different? • Most FinTech applications are web applications or services, possibly with a mobile front end – they are subject to the same security challenges as many other systems • FinTech applications handle sensitive data and perform business-critical operations • For now transactions are relatively limited, but risk factors are even more acute than in traditional financial services 17
18 https://magoo.github.io/Blockchain-Graveyard/
19 42 incidents reported Main categories: Server breach, application vulnerabilities
20 Vulnerability: Database injection Consequence: Data breach Conclusion: “This incident prompted us to reassess the viability of running coinwallet.co and it was decided it is just not viable taking into consideration the risk, costs and time involved.”
Summary • FinTech applications handle sensitive user and corporate data • Data breaches can ruin a FinTech company’s reputation and lead to significant financial damages and legal problems • FinTech applications must be secure from a data management point of view • Regulations are becoming more stringent, including the GDPR European legislation on data privacy 21
Secure data management cannot be ensured during development • Root causes • time to market pressures, • lack of disciplined programming, • third-party solutions (services, components). 22
Consequences • Many applications have problems with • incomplete or improper security requirements, • inadequate security architecture, • implementation flaws, • lack of systematic and effective testing, • … 23
Compliance with Standards and Regulations
Compliance 25 Regulations for FinTech domains microfinance, crowdfunding, cashless payment, cryptocurrencies, … Regulations & Standards for FinTech IT Systems primarily concerned with data protection and privacy
Example from Payment Services • PSD2: Payment Services Directive (EU directive) • “In order to improve the efficiency of payments throughout the Union, all payment orders initiated by the payer and denominated in euro or the currency of a Member State whose currency is not the euro, including credit transfers and money remittances, should be subject to a maximum 1-day execution time. For all other payments, such as payments initiated by or through a payee, including direct debits and card payments, in the absence of an explicit agreement between the payment service provider and the payer setting a longer execution time, the same 1-day execution time should apply.” 26 Logo (vertical) Positive versions “standard” The European Commission logo exists in 6 versions (positive and negative CMYK, Reflex Blue and black & white), all of which are available in 6 different formats (ai, eps, jpg, png, tiff and pdf). All these formats are available on the Visual Identity Page: http://www.cc.cec/dgintranet/ comm/visual_identity/index_ en.htm CMYK – for full-colour printing Pantone EC Corporate Blue – for 1-colour printing Black – for black & white printing The standard logo is the main logo of the European Commission and, as a general rule, should appear top centred on all communication material, documents and products unless there is a special reason not to substitute the standard logo with the horizontal or mute variation. 12
Security and Privacy • Security certification • On a voluntary basis • Business advantage • Laws and regulations • Compliance is mandatory • Luxembourg’s implementation of EU Directive 95/46/EC • General Data Protection Regulation (GDPR) 27 27018
28 • Sweeping powers for national data protection agencies • Fines of up to 4% of annual turnover for major breaches • Major new requirements, including: • Reporting major data breaches within 72h • Privacy by design • Client’s right to be forgotten • Verified technical and organizational measures necessary for demonstrating security GDPR
Industry Security Standards • Payment Card Industry Data Security Standard (PCI DSS) • Proprietary information and security standard for organizations that handle branded credit cards • Increase control on credit card data and reduce credit card fraud • Annual validation of compliance by Qualified Security Assessors 29
OWASP • Open Web Application Security Project (OWASP) • Share relevant software security information and good practices • https://www.owasp.org/ 30
Compliance is Complex and Expensive 31 Laws, regulations and standards are textual.They need to be interpreted and adapted to context Multiple stakeholders are involved in the compliance and auditing chain The volume of evidence required for demonstrating compliance is very large Compliance arguments need to be assessed in a credible manner and based on evidence
What can we do? 32
Compliance to Safety Standards • Safety-critical systems have been subject to safety certification for several decades • Rigorous compliance assessment is common practice for safety • The level of rigor is very likely to extend to data protection and privacy in future years • Existing work on safety certification can be a major source of experience and inspiration 33
Solution Components 34 Compliance Framework Creating Machine- Interpretable Model Collection and Management of Data/Evidence Automated Compliance Analysis& Reporting
Example Model 35 Subject MatterExpert GDPR Interpretation Size Establishment erasePersonalData() Controller Processor Subject Data Protection Officer (DPO) designates ▶︎ Constraint: Undercertain circumstances, an establishment is obligated to designate a DPO
Assessor Controller / Processor Specialized checklists, plans, progress measures, agreements, etc. Schema for evidence Evidence repository Compliance Results basis for Evidence Requirements Elaboration Compliance Analysis Model of the standard or regulation Aid to understanding and communication Means for collaboration between actors Creation of evidence repositories Computer-assisted compliance analysis Learning from the Safety Critical Domain Size Establishment erasePersonalData() Controller Processor Subject Data Protection Officer (DPO) designates ▶︎
Assessor Controller / Processor Specialized checklists, plans, progress measures, agreements, etc. Schema for evidence Evidence repository Compliance Results basis for Evidence Requirements Elaboration Compliance Analysis Model of the standard or regulation Aid to understanding and communication Means for collaboration between actors Creation of evidence repositories Computer-assisted compliance analysis Learning from the Safety Critical Domain Size Establishment erasePersonalData() Controller Processor Subject Data Protection Officer (DPO) designates ▶︎
Assessor Controller / Processor Specialized checklists, plans, progress measures, agreements, etc. Schema for evidence Evidence repository Compliance Results basis for Evidence Requirements Elaboration Compliance Analysis Model of the standard or regulation Aid to understanding and communication Means for collaboration between actors Creation of evidence repositories Computer-assisted compliance analysis Learning from the Safety Critical Domain Size Establishment erasePersonalData() Controller Processor Subject Data Protection Officer (DPO) designates ▶︎
Assessor Controller / Processor Specialized checklists, plans, progress measures, agreements, etc. Schema for evidence Evidence repository Compliance Results basis for Evidence Requirements Elaboration Compliance Analysis Model of the standard or regulation Aid to understanding and communication Means for collaboration between actors Creation of evidence repositories Computer-assisted compliance analysis Learning from the Safety Critical Domain Size Establishment erasePersonalData() Controller Processor Subject Data Protection Officer (DPO) designates ▶︎
Penetration Testing
Penetration Testing • A penetration test is an attack on a system to find vulnerabilities that an attacker could exploit • The intention is to find security weaknesses, leading to illegal access to functionality and data. 41
Penetration Testing: SQL Injection 42 Client Database Application Firewall SELECT * FROM customer WHERE col = custID Web Service
Penetration Testing: SQL Injection 43 SELECT * FROM customer WHERE col = custID OR 1=1 OR 1 =1 Attacker Application Firewall Database Web Service name matricule credit card Emma SMITH 19961506123 12345678912457 Julia BETTEL 19901006321 ….. …. … …. Data leak!
State of the Practice • Effort-intensive • Effectiveness depends on the competence of the consultants • Tools: Many false alarms and missed vulnerabilities • Does not scale 44 Security Consultants Security Scanners + WE NEED BETTER TEST AUTOMATION! Solution: Automated testing based on machine learning and optimization
Automated Penetration Testing 45 • Attacks: • Inputs • XML • Access Requests Web Service • Breaches: • Unauthorized access • Compromised integrity • Denial of Service Maximize chances of finding exploitable vulnerabilities Automated Detection of security breaches and data leaks Machine learning
Protocol Verification
Client Server Protocols 47 Example: Password Authentication Protocol (PAP) Security Property: the server authenticates only the right client
Protocols 48 Example: Password Authentication Protocol (PAP) Client ServerATTACKER Security Property Violation: the server authenticates the attacker
Modeling and Verification Model 49 Model Checker Attack Found No Attack HTTP messages and security properties The model checker is used to identify logical flaws in the protocol design
Testing the Protocol Implementation 50 Mutation Engine Secure Model Common Implementation Mistakes Mutated Models Model Checker Attack Found Attack Found Test Cases
Automated Compliance Analysis
Run-time Verification 52 “A technique that verifies, after the system is put in operation and is executing, the behavior observed in the system with respect to given properties”
Example property I Message order and response time: “After every successful completion of a payment, if the payer does not cancel it within 60 seconds, the recipient will receive a confirmation message after at least 70 seconds but not later than 120 seconds” 53
Example property II • Access control: “An employee with the role ‘junior financial analyst’ can access the ‘Derivatives Trading’ application only upon delegation from an employee with role ‘specialist financial analyst’ and within two hours from the delegation” 54
Category of Properties • Regulatory business rules • Access control and data privacy • Provisions from standards and best practices • Service-level agreements 55
Machine- Interpretable Properties 56 Deployed FinTech Application RT Verification Engine Check Violation?Feedback Analyst, Auditor … Information Execution Automation
Solutions 57 Language to express properties Algorithm to check them based on data Run-time Architecture to collect data
Security Audits
Source code analysis to identify, locate, and fix potential security & privacy issues Security Audits: Definition 59
Manual auditing is infeasible!
Commercial Tools 61 •Many false alarms •Miss some vulnerabilities •Overhead for security audit teams
Vulnerability Verification 62 Code Security Slice Program analysis Symbolic execution Condition Constraint solving Feasible? yesno Few false alarms
Vulnerability Prediction 63 Code Program analysis Code characteristics Machine learning Vulnerability predictor predicts
How does one get sufficient assurance about security data management and compliance with regulations? 64
Overall Solution 65 Regulations, Standards Automated Compliance Analysis Data (organization, processes, technical activities) Security & Compliance Requirements Architecture & Design Code Auditing Risk-based Testing Penetration Testing Run-time Verification Development Validation Operation
Additional Contacts • Mike Sabetzadeh, Ph.D.: Regulatory compliance, security requirements • Domenico Bianculli, Ph.D.: Source code auditing, run-time monitoring and verification • Annibale Panichella, Ph.D.: Automated security testing • Karl Johannesson: Project partnerships 66
.lusoftware verification & validation VVS Secure and Compliant Data Management in FinTech Applications Prof. Lionel Briand, FNR PEARL Chair UL 3X3 FinTech lecture series, February 10th, 2017

More Related Content

PPTX
Time to-market starts with you
byBackbase
 
PPTX
Seamless Customer Onboarding using Digital KYC
byPiChainAdministrator
 
PPTX
The Digital Insurer Award - FWD (smart)
byThe Digital Insurer
 
PDF
Blockchain, Bitcoin, Crypto assets, Initial Coin Offer workshop
byNext Space Pvt. Ltd
 
PDF
Crm service automation
byAna Meireles
 
PDF
Rma past present_v3
byRobert Seymour
 
KEY
Engagement Banking Strategy by Jouk Pleiter
byBackbase
 
KEY
Bank 2.0 - How to get ready for the new era of Engagement Banking
byBackbase
 
Time to-market starts with you
byBackbase
 
Seamless Customer Onboarding using Digital KYC
byPiChainAdministrator
 
The Digital Insurer Award - FWD (smart)
byThe Digital Insurer
 
Blockchain, Bitcoin, Crypto assets, Initial Coin Offer workshop
byNext Space Pvt. Ltd
 
Crm service automation
byAna Meireles
 
Rma past present_v3
byRobert Seymour
 
Engagement Banking Strategy by Jouk Pleiter
byBackbase
 
Bank 2.0 - How to get ready for the new era of Engagement Banking
byBackbase
 

Viewers also liked

PDF
FinTech Hong Kong Report
byCFTE
 
PDF
Embracing FinTech
byBackbase
 
PDF
360 Degrees of FinTech (R)evolution
byElias Gagas
 
PDF
Mercer Capital's Value Focus: FinTech Industry | Second Half 2016
byMercer Capital
 
PPTX
The next 10 years in Fintech
byKantox
 
PDF
Backbase Webinar: The Adjacent Possible for Banks
byBackbase
 
PDF
Investing in fintech: Trends in financial technology for investors and entrep...
byOurCrowd
 
PDF
Tracxn FinTech SEA Startup Landscape, July 2016
byTracxn
 
PDF
Swiss FinteCH Ecosystem Directory v2.0
bySwiss FinteCH
 
PDF
Bank: Trends, Tech and Future
byIvano Digital
 
PDF
Changing Hospitality with Streamlined Data and Payment Processing / Webinar
byIngenico Group
 
PDF
Bulk Payments and the DFS Ecosystem
byITU
 
PDF
API is the New Black for FinTech & Financial Institutions
byElias Gagas
 
PDF
Trends and Activities of Fintech Companies in Europe - Q42016 - Indalytics Ad...
byIndalytics Advisors
 
PDF
Suggestions to improve European Online Payments Regulation - CleverAdvice
byCleverAdvice
 
PDF
How many different subtypes of FinTech do we actually have?
byMichalGromek
 
PDF
STOCKHOLM FINTECH REPORT - SSE / Stockholm Business Region
byMichalGromek
 
PPTX
E commerce Company ROI
byBurke Gibson
 
PDF
Distributed ledger technology in payments clearing and settlement - blockchai...
byIan Beckett
 
PPTX
use of camera
byaamina24
 
FinTech Hong Kong Report
byCFTE
 
Embracing FinTech
byBackbase
 
360 Degrees of FinTech (R)evolution
byElias Gagas
 
Mercer Capital's Value Focus: FinTech Industry | Second Half 2016
byMercer Capital
 
The next 10 years in Fintech
byKantox
 
Backbase Webinar: The Adjacent Possible for Banks
byBackbase
 
Investing in fintech: Trends in financial technology for investors and entrep...
byOurCrowd
 
Tracxn FinTech SEA Startup Landscape, July 2016
byTracxn
 
Swiss FinteCH Ecosystem Directory v2.0
bySwiss FinteCH
 
Bank: Trends, Tech and Future
byIvano Digital
 
Changing Hospitality with Streamlined Data and Payment Processing / Webinar
byIngenico Group
 
Bulk Payments and the DFS Ecosystem
byITU
 
API is the New Black for FinTech & Financial Institutions
byElias Gagas
 
Trends and Activities of Fintech Companies in Europe - Q42016 - Indalytics Ad...
byIndalytics Advisors
 
Suggestions to improve European Online Payments Regulation - CleverAdvice
byCleverAdvice
 
How many different subtypes of FinTech do we actually have?
byMichalGromek
 
STOCKHOLM FINTECH REPORT - SSE / Stockholm Business Region
byMichalGromek
 
E commerce Company ROI
byBurke Gibson
 
Distributed ledger technology in payments clearing and settlement - blockchai...
byIan Beckett
 
use of camera
byaamina24
 

Similar to Secure and Compliant Data Management in FinTech Applications

PPTX
A practical data privacy and security approach to ffiec, gdpr and ccpa
byUlf Mattsson
 
PDF
GDPR: The Application Security Twist
bySecurity Innovation
 
PDF
Flight East 2018 Presentation–Data Breaches and the Law
bySynopsys Software Integrity Group
 
PDF
Emerging Trends in Information Security and Privacy
bylgcdcpas
 
PDF
GDPR - Context, Principles, Implementation, Operation, Impact on Outsourcing,...
byAlan McSweeney
 
PDF
Fintech and Data Protection by Balint Halasz and Zoltan Tarjan 25 10 2016
bybhalasz
 
PDF
Fintech Cyber Security Survey Hong Knog 2018
byEntersoft Security
 
PDF
Open Banking / PSD2 & GDPR Regulations and How They Are Changing Fraud & Fina...
byIdan Tohami
 
PDF
PGConf APAC 2018: Sponsored Talk by Fujitsu - The growing mandatory requireme...
byPGConf APAC
 
PDF
Data security in the age of GDPR – most common data security problems
byExove
 
PPTX
Evolving regulations are changing the way we think about tools and technology
byUlf Mattsson
 
PPTX
Your data is your business: Secure it or Lose it!
byPerformance Tuning Corporation
 
PDF
delphix-ebook-using-data-effectively-compliance-banking-1
byJes Breslaw
 
PDF
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
byBlack Duck by Synopsys
 
PPTX
Secrets of the Enterprise Buyers with Plaid's Global Finance Lead and Laika's...
bysaastr
 
PDF
GDPR (En) JM Tyszka
byJean-Michel Tyszka
 
PPTX
WP Helsinki Meetup - GDPR for devs
byTiia Rantanen
 
PDF
GDPR for Non-European Region - Financial Services EL
byEugene Lee
 
PPTX
What i learned at the infosecurity isaca north america expo and conference 2019
byUlf Mattsson
 
PDF
The growing mandatory requirements to protect data- secure PostgreSQL
byRajni Baliyan
 
A practical data privacy and security approach to ffiec, gdpr and ccpa
byUlf Mattsson
 
GDPR: The Application Security Twist
bySecurity Innovation
 
Flight East 2018 Presentation–Data Breaches and the Law
bySynopsys Software Integrity Group
 
Emerging Trends in Information Security and Privacy
bylgcdcpas
 
GDPR - Context, Principles, Implementation, Operation, Impact on Outsourcing,...
byAlan McSweeney
 
Fintech and Data Protection by Balint Halasz and Zoltan Tarjan 25 10 2016
bybhalasz
 
Fintech Cyber Security Survey Hong Knog 2018
byEntersoft Security
 
Open Banking / PSD2 & GDPR Regulations and How They Are Changing Fraud & Fina...
byIdan Tohami
 
PGConf APAC 2018: Sponsored Talk by Fujitsu - The growing mandatory requireme...
byPGConf APAC
 
Data security in the age of GDPR – most common data security problems
byExove
 
Evolving regulations are changing the way we think about tools and technology
byUlf Mattsson
 
Your data is your business: Secure it or Lose it!
byPerformance Tuning Corporation
 
delphix-ebook-using-data-effectively-compliance-banking-1
byJes Breslaw
 
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
byBlack Duck by Synopsys
 
Secrets of the Enterprise Buyers with Plaid's Global Finance Lead and Laika's...
bysaastr
 
GDPR (En) JM Tyszka
byJean-Michel Tyszka
 
WP Helsinki Meetup - GDPR for devs
byTiia Rantanen
 
GDPR for Non-European Region - Financial Services EL
byEugene Lee
 
What i learned at the infosecurity isaca north america expo and conference 2019
byUlf Mattsson
 
The growing mandatory requirements to protect data- secure PostgreSQL
byRajni Baliyan
 

More from Lionel Briand

PDF
Precise and Complete Requirements? An Elusive Goal
byLionel Briand
 
PDF
Mathematicians, Social Scientists, or Engineers? The Split Minds of Software ...
byLionel Briand
 
PDF
Metamorphic Testing for Web System Security
byLionel Briand
 
PDF
Autonomous Systems: How to Address the Dilemma between Autonomy and Safety
byLionel Briand
 
PDF
Large Language Models for Test Case Evolution and Repair
byLionel Briand
 
PDF
Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...
byLionel Briand
 
PDF
Automated Testing and Safety Analysis of Deep Neural Networks
byLionel Briand
 
PDF
Automated Test Case Repair Using Language Models
byLionel Briand
 
PDF
Revisiting the Notion of Diversity in Software Testing
byLionel Briand
 
PDF
Applications of Search-based Software Testing to Trustworthy Artificial Intel...
byLionel Briand
 
PDF
LTM: Scalable and Black-box Similarity-based Test Suite Minimization based on...
byLionel Briand
 
PDF
TEASMA: A Practical Methodology for Test Adequacy Assessment of Deep Neural N...
byLionel Briand
 
PDF
FlakyFix: Using Large Language Models for Predicting Flaky Test Fix Categorie...
byLionel Briand
 
PDF
ATM: Black-box Test Case Minimization based on Test Code Similarity and Evolu...
byLionel Briand
 
PDF
Data-driven Mutation Analysis for Cyber-Physical Systems
byLionel Briand
 
PDF
Simulator-based Explanation and Debugging of Hazard-triggering Events in DNN-...
byLionel Briand
 
PDF
Black-box Safety Analysis and Retraining of DNNs based on Feature Extraction ...
byLionel Briand
 
PDF
PRINS: Scalable Model Inference for Component-based System Logs
byLionel Briand
 
PDF
Many-Objective Reinforcement Learning for Online Testing of DNN-Enabled Systems
byLionel Briand
 
PDF
Fuzzing for CPS Mutation Testing
byLionel Briand
 
Precise and Complete Requirements? An Elusive Goal
byLionel Briand
 
Mathematicians, Social Scientists, or Engineers? The Split Minds of Software ...
byLionel Briand
 
Metamorphic Testing for Web System Security
byLionel Briand
 
Autonomous Systems: How to Address the Dilemma between Autonomy and Safety
byLionel Briand
 
Large Language Models for Test Case Evolution and Repair
byLionel Briand
 
Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...
byLionel Briand
 
Automated Testing and Safety Analysis of Deep Neural Networks
byLionel Briand
 
Automated Test Case Repair Using Language Models
byLionel Briand
 
Revisiting the Notion of Diversity in Software Testing
byLionel Briand
 
Applications of Search-based Software Testing to Trustworthy Artificial Intel...
byLionel Briand
 
LTM: Scalable and Black-box Similarity-based Test Suite Minimization based on...
byLionel Briand
 
TEASMA: A Practical Methodology for Test Adequacy Assessment of Deep Neural N...
byLionel Briand
 
FlakyFix: Using Large Language Models for Predicting Flaky Test Fix Categorie...
byLionel Briand
 
ATM: Black-box Test Case Minimization based on Test Code Similarity and Evolu...
byLionel Briand
 
Data-driven Mutation Analysis for Cyber-Physical Systems
byLionel Briand
 
Simulator-based Explanation and Debugging of Hazard-triggering Events in DNN-...
byLionel Briand
 
Black-box Safety Analysis and Retraining of DNNs based on Feature Extraction ...
byLionel Briand
 
PRINS: Scalable Model Inference for Component-based System Logs
byLionel Briand
 
Many-Objective Reinforcement Learning for Online Testing of DNN-Enabled Systems
byLionel Briand
 
Fuzzing for CPS Mutation Testing
byLionel Briand
 

Recently uploaded

PPTX
The OpenChain China Mini-Summit at COSCON 2025
byShane Coughlan
 
PPTX
Magnet-AXIOM_overview_tool_cyber_tool.pptx
byashishtjoseph
 
PDF
Navigating SEC Regulations for Crypto Exchanges Preparing for a Compliant Fut...
byzak jasper
 
PDF
Licensing for Software-as-a-Service (SaaS)
byteam-WIBU
 
PDF
First Semester BCA Fundamentals of Computers – Solved Question Paper (Kuvempu...
byKuvempu University
 
PDF
Step-by-Step Guide to Building Fast Flutter Web Sites
byShiv Technolabs Pvt. Ltd.
 
PDF
Reusable technology: Saving development time with shared Unity plug-ins and S...
byBruno Cicanci
 
PDF
Resource-Levelled Critical-Path Analysis Balancing Time, Cost and Constraints
byOrangescrum
 
PPTX
AI Clinic Management Software for Otolaryngology Clinics Bringing Precision, ...
byEasy Clinic
 
PPTX
SAP SOD Management for Secure & Compliant Access | s4access
bydigitalbacklinks123
 
PDF
Advanced Prompt Engineering: The Art and Science
byMaxim Salnikov
 
PDF
Blueprint to build quality before the code exists - StackConnect Milan 2025
byLudovicoBesana1
 
PPTX
Deep Dive into Durable Functions, presented at Cloudbrew 2025
byJoonas Westlin
 
PPTX
application security presentation 2 by harman
byharmanideapad
 
PDF
Red Hat Summit 2025 - Triton GPU Kernel programming.pdf
bySanjeev Rampal
 
PDF
Operating System (OS) :UNIT-I Introduction to Operating System BCA SEP SEM-II...
byKuvempu University
 
PDF
nsfconvertersoftwaretoconvertNSFtoPST.pdf
byNSF Converter Software
 
PDF
Data structure using C :UNIT-I Introduction to Data structures and Stacks BCA...
byKuvempu University
 
PDF
Influence Without Power - Why Empathy is Your Best Friend.pdf
bySuzanne Lagerweij
 
PDF
Combinatorial Interview Problems with Backtracking Solutions - From Imperativ...
byPhilip Schwarz
 
The OpenChain China Mini-Summit at COSCON 2025
byShane Coughlan
 
Magnet-AXIOM_overview_tool_cyber_tool.pptx
byashishtjoseph
 
Navigating SEC Regulations for Crypto Exchanges Preparing for a Compliant Fut...
byzak jasper
 
Licensing for Software-as-a-Service (SaaS)
byteam-WIBU
 
First Semester BCA Fundamentals of Computers – Solved Question Paper (Kuvempu...
byKuvempu University
 
Step-by-Step Guide to Building Fast Flutter Web Sites
byShiv Technolabs Pvt. Ltd.
 
Reusable technology: Saving development time with shared Unity plug-ins and S...
byBruno Cicanci
 
Resource-Levelled Critical-Path Analysis Balancing Time, Cost and Constraints
byOrangescrum
 
AI Clinic Management Software for Otolaryngology Clinics Bringing Precision, ...
byEasy Clinic
 
SAP SOD Management for Secure & Compliant Access | s4access
bydigitalbacklinks123
 
Advanced Prompt Engineering: The Art and Science
byMaxim Salnikov
 
Blueprint to build quality before the code exists - StackConnect Milan 2025
byLudovicoBesana1
 
Deep Dive into Durable Functions, presented at Cloudbrew 2025
byJoonas Westlin
 
application security presentation 2 by harman
byharmanideapad
 
Red Hat Summit 2025 - Triton GPU Kernel programming.pdf
bySanjeev Rampal
 
Operating System (OS) :UNIT-I Introduction to Operating System BCA SEP SEM-II...
byKuvempu University
 
nsfconvertersoftwaretoconvertNSFtoPST.pdf
byNSF Converter Software
 
Data structure using C :UNIT-I Introduction to Data structures and Stacks BCA...
byKuvempu University
 
Influence Without Power - Why Empathy is Your Best Friend.pdf
bySuzanne Lagerweij
 
Combinatorial Interview Problems with Backtracking Solutions - From Imperativ...
byPhilip Schwarz
 

Secure and Compliant Data Management in FinTech Applications

  • 1.
    .lusoftware verification &validation VVS Secure and Compliant Data Management in FinTech Applications Prof. Lionel Briand, FNR PEARL Chair UL 3X3 FinTech lecture series, February 10th, 2017
  • 2.
    FinTech @ SnTCentre • SnT: Luxembourg’s center on ICT Security, reliability and Trust • > 260 staff members • 31 partners • FinTech: One of SnT’s priorities • Increasing momentum: 5 FinTech partners, 7 projects, 2 laboratories 2 Alphonse Weicker Foundation
  • 3.
    Software Verification and Validation@ SnT 3 • Group established in 2012 (FNR PEARL) • Focus: Ensuring reliability and security of IT systems through automated, cost-effective V&V solutions, e.g., testing • ERC Advanced Grant • ~ 25 staff members • Industry partnerships
  • 4.
    Objectives • Create awarenessabout the challenges and solutions for ensuring secure and compliant data management in FinTech applications • Motivate the need for research and innovation • Non-technical presentation • Not meant to be a complete treatment of the subject matter 4
  • 5.
  • 6.
    6 Not Just aboutthe B Word
  • 7.
    FinTech: State ofPlay • $14.5 billion globally in venture capital in 2015, from $7.3 billion in 2014 • FinTech companies are proliferating • Wide range of solutions that promise to impact nearly everyone • Dramatically broaden the reach, flexibility, and level of innovation of financial services • Key challenge: Cybersecurity • Risks: Financial losses, undermine confidence, lower adoption 7
  • 8.
    Cybersecurity: Risk Factors •“All that matters is to get to market fast” mentality • Growing mismatch between technology and regulations • Dilemma: Consumer protection versus the agility of the innovation ecosystem 8
  • 9.
    Cybersecurity: Risk Factors •Reliance on machine learning and big data complicates the picture regarding cybersecurity – unintended biases in system behavior • Many new “customers” with little knowledge of security risks • More interfaces between traditional financial services and FinTech applications 9
  • 10.
    Did I manageto worry you? 10
  • 11.
    How Secure isour Data?
  • 12.
  • 13.
    JPMorgan Chase DataBreach (2014) 13 • Compromised over 83 million accounts - 76 million households and 7 million small businesses • Also, targeted 9 other major financial institutions alongside JPMorgan Chase
  • 14.
    UK’s Tesco BankHack in Nov 2016 14 • Biggest cyber attack in the history of British banking • £2.5 million stolen from accounts of 9000 customers • Approximately 40,000 Tesco Bank accounts were compromised • The fine could be as much as £2 billion pounds under the GDPR rules.
  • 15.
    Some Statistics aboutCybersecurity 15 Source: IBM Security - data from worldwide organisations having between 1,000 and 5,000 employees Incident rates by industries
  • 16.
    Financial Impact ofData Breaches 16 • Study of 383 companies in 12 countries • $4 million is the average total cost of a data breach • 29% increase in total cost of data breach since 2013 • $158 is the average cost per lost or stolen record • 15% increase in per capita cost since 2013
  • 17.
    Are FinTech Applications Different? •Most FinTech applications are web applications or services, possibly with a mobile front end – they are subject to the same security challenges as many other systems • FinTech applications handle sensitive data and perform business-critical operations • For now transactions are relatively limited, but risk factors are even more acute than in traditional financial services 17
  • 18.
  • 19.
    19 42 incidents reported Maincategories: Server breach, application vulnerabilities
  • 20.
    20 Vulnerability: Database injection Consequence:Data breach Conclusion: “This incident prompted us to reassess the viability of running coinwallet.co and it was decided it is just not viable taking into consideration the risk, costs and time involved.”
  • 21.
    Summary • FinTech applicationshandle sensitive user and corporate data • Data breaches can ruin a FinTech company’s reputation and lead to significant financial damages and legal problems • FinTech applications must be secure from a data management point of view • Regulations are becoming more stringent, including the GDPR European legislation on data privacy 21
  • 22.
    Secure data managementcannot be ensured during development • Root causes • time to market pressures, • lack of disciplined programming, • third-party solutions (services, components). 22
  • 23.
    Consequences • Many applicationshave problems with • incomplete or improper security requirements, • inadequate security architecture, • implementation flaws, • lack of systematic and effective testing, • … 23
  • 24.
  • 25.
    Compliance 25 Regulations for FinTechdomains microfinance, crowdfunding, cashless payment, cryptocurrencies, … Regulations & Standards for FinTech IT Systems primarily concerned with data protection and privacy
  • 26.
    Example from PaymentServices • PSD2: Payment Services Directive (EU directive) • “In order to improve the efficiency of payments throughout the Union, all payment orders initiated by the payer and denominated in euro or the currency of a Member State whose currency is not the euro, including credit transfers and money remittances, should be subject to a maximum 1-day execution time. For all other payments, such as payments initiated by or through a payee, including direct debits and card payments, in the absence of an explicit agreement between the payment service provider and the payer setting a longer execution time, the same 1-day execution time should apply.” 26 Logo (vertical) Positive versions “standard” The European Commission logo exists in 6 versions (positive and negative CMYK, Reflex Blue and black & white), all of which are available in 6 different formats (ai, eps, jpg, png, tiff and pdf). All these formats are available on the Visual Identity Page: http://www.cc.cec/dgintranet/ comm/visual_identity/index_ en.htm CMYK – for full-colour printing Pantone EC Corporate Blue – for 1-colour printing Black – for black & white printing The standard logo is the main logo of the European Commission and, as a general rule, should appear top centred on all communication material, documents and products unless there is a special reason not to substitute the standard logo with the horizontal or mute variation. 12
  • 27.
    Security and Privacy •Security certification • On a voluntary basis • Business advantage • Laws and regulations • Compliance is mandatory • Luxembourg’s implementation of EU Directive 95/46/EC • General Data Protection Regulation (GDPR) 27 27018
  • 28.
    28 • Sweeping powersfor national data protection agencies • Fines of up to 4% of annual turnover for major breaches • Major new requirements, including: • Reporting major data breaches within 72h • Privacy by design • Client’s right to be forgotten • Verified technical and organizational measures necessary for demonstrating security GDPR
  • 29.
    Industry Security Standards •Payment Card Industry Data Security Standard (PCI DSS) • Proprietary information and security standard for organizations that handle branded credit cards • Increase control on credit card data and reduce credit card fraud • Annual validation of compliance by Qualified Security Assessors 29
  • 30.
    OWASP • Open WebApplication Security Project (OWASP) • Share relevant software security information and good practices • https://www.owasp.org/ 30
  • 31.
    Compliance is Complexand Expensive 31 Laws, regulations and standards are textual.They need to be interpreted and adapted to context Multiple stakeholders are involved in the compliance and auditing chain The volume of evidence required for demonstrating compliance is very large Compliance arguments need to be assessed in a credible manner and based on evidence
  • 32.
  • 33.
    Compliance to SafetyStandards • Safety-critical systems have been subject to safety certification for several decades • Rigorous compliance assessment is common practice for safety • The level of rigor is very likely to extend to data protection and privacy in future years • Existing work on safety certification can be a major source of experience and inspiration 33
  • 34.
  • 35.
    Example Model 35 Subject MatterExpert GDPRInterpretation Size Establishment erasePersonalData() Controller Processor Subject Data Protection Officer (DPO) designates ▶︎ Constraint: Undercertain circumstances, an establishment is obligated to designate a DPO
  • 36.
    Assessor Controller /Processor Specialized checklists, plans, progress measures, agreements, etc. Schema for evidence Evidence repository Compliance Results basis for Evidence Requirements Elaboration Compliance Analysis Model of the standard or regulation Aid to understanding and communication Means for collaboration between actors Creation of evidence repositories Computer-assisted compliance analysis Learning from the Safety Critical Domain Size Establishment erasePersonalData() Controller Processor Subject Data Protection Officer (DPO) designates ▶︎
  • 37.
    Assessor Controller /Processor Specialized checklists, plans, progress measures, agreements, etc. Schema for evidence Evidence repository Compliance Results basis for Evidence Requirements Elaboration Compliance Analysis Model of the standard or regulation Aid to understanding and communication Means for collaboration between actors Creation of evidence repositories Computer-assisted compliance analysis Learning from the Safety Critical Domain Size Establishment erasePersonalData() Controller Processor Subject Data Protection Officer (DPO) designates ▶︎
  • 38.
    Assessor Controller /Processor Specialized checklists, plans, progress measures, agreements, etc. Schema for evidence Evidence repository Compliance Results basis for Evidence Requirements Elaboration Compliance Analysis Model of the standard or regulation Aid to understanding and communication Means for collaboration between actors Creation of evidence repositories Computer-assisted compliance analysis Learning from the Safety Critical Domain Size Establishment erasePersonalData() Controller Processor Subject Data Protection Officer (DPO) designates ▶︎
  • 39.
    Assessor Controller /Processor Specialized checklists, plans, progress measures, agreements, etc. Schema for evidence Evidence repository Compliance Results basis for Evidence Requirements Elaboration Compliance Analysis Model of the standard or regulation Aid to understanding and communication Means for collaboration between actors Creation of evidence repositories Computer-assisted compliance analysis Learning from the Safety Critical Domain Size Establishment erasePersonalData() Controller Processor Subject Data Protection Officer (DPO) designates ▶︎
  • 40.
  • 41.
    Penetration Testing • Apenetration test is an attack on a system to find vulnerabilities that an attacker could exploit • The intention is to find security weaknesses, leading to illegal access to functionality and data. 41
  • 42.
    Penetration Testing: SQL Injection 42 ClientDatabase Application Firewall SELECT * FROM customer WHERE col = custID Web Service
  • 43.
    Penetration Testing: SQL Injection 43 SELECT * FROM customer WHERE col = custID OR 1=1 OR 1 =1 Attacker Application Firewall Database Web Service name matricule credit card Emma SMITH 19961506123 12345678912457 Julia BETTEL 19901006321 ….. …. … …. Data leak!
  • 44.
    State of thePractice • Effort-intensive • Effectiveness depends on the competence of the consultants • Tools: Many false alarms and missed vulnerabilities • Does not scale 44 Security Consultants Security Scanners + WE NEED BETTER TEST AUTOMATION! Solution: Automated testing based on machine learning and optimization
  • 45.
    Automated Penetration Testing 45 •Attacks: • Inputs • XML • Access Requests Web Service • Breaches: • Unauthorized access • Compromised integrity • Denial of Service Maximize chances of finding exploitable vulnerabilities Automated Detection of security breaches and data leaks Machine learning
  • 46.
  • 47.
    Client Server Protocols 47 Example: PasswordAuthentication Protocol (PAP) Security Property: the server authenticates only the right client
  • 48.
    Protocols 48 Example: Password AuthenticationProtocol (PAP) Client ServerATTACKER Security Property Violation: the server authenticates the attacker
  • 49.
    Modeling and Verification Model 49 Model Checker Attack Found No Attack HTTPmessages and security properties The model checker is used to identify logical flaws in the protocol design
  • 50.
  • 51.
  • 52.
    Run-time Verification 52 “A techniquethat verifies, after the system is put in operation and is executing, the behavior observed in the system with respect to given properties”
  • 53.
    Example property I Messageorder and response time: “After every successful completion of a payment, if the payer does not cancel it within 60 seconds, the recipient will receive a confirmation message after at least 70 seconds but not later than 120 seconds” 53
  • 54.
    Example property II •Access control: “An employee with the role ‘junior financial analyst’ can access the ‘Derivatives Trading’ application only upon delegation from an employee with role ‘specialist financial analyst’ and within two hours from the delegation” 54
  • 55.
    Category of Properties •Regulatory business rules • Access control and data privacy • Provisions from standards and best practices • Service-level agreements 55
  • 56.
  • 57.
    Solutions 57 Language to express properties Algorithmto check them based on data Run-time Architecture to collect data
  • 58.
  • 59.
    Source code analysisto identify, locate, and fix potential security & privacy issues Security Audits: Definition 59
  • 60.
  • 61.
    Commercial Tools 61 •Many falsealarms •Miss some vulnerabilities •Overhead for security audit teams
  • 62.
  • 63.
    Vulnerability Prediction 63 Code Program analysis Codecharacteristics Machine learning Vulnerability predictor predicts
  • 64.
    How does oneget sufficient assurance about security data management and compliance with regulations? 64
  • 65.
    Overall Solution 65 Regulations, Standards Automated Compliance Analysis Data (organization,processes, technical activities) Security & Compliance Requirements Architecture & Design Code Auditing Risk-based Testing Penetration Testing Run-time Verification Development Validation Operation
  • 66.
    Additional Contacts • MikeSabetzadeh, Ph.D.: Regulatory compliance, security requirements • Domenico Bianculli, Ph.D.: Source code auditing, run-time monitoring and verification • Annibale Panichella, Ph.D.: Automated security testing • Karl Johannesson: Project partnerships 66
  • 67.
    .lusoftware verification &validation VVS Secure and Compliant Data Management in FinTech Applications Prof. Lionel Briand, FNR PEARL Chair UL 3X3 FinTech lecture series, February 10th, 2017