About the Authors – Security Testing Handbook for Banking Applications

8
ABOUT THE AUTHORS
Arvind Doraiswamy leads Paladion’s R&D team for
Application Security. Arvind has tested 100+ banking
applications and continuously refines the techniques used
by Paladion to improve the quality of testing. They also
contributes to the security testing database at
www.vulnerabilityassessment.co.uk.
Sangita Pakala is the Project Director for the Application
Security practice at Paladion. Sangita is the lead author of
the OWASP Application Security FAQ, and co-author of
Application Security in the ISO 27001 Environment from
ITGP. She has been invited to present at the RSA
Conference 2006 and ISACA Europe 2005.
Nilesh Kapoor is a Project Leader in Paladion’s
Application Security Testing team. Nilesh has tested 30+
applications including core banking applications, RTGS
and ATM systems.
Prashant Verma is a Project Leader in Paladion’s
Application Security Testing team. Prashant has tested 30+
applications including Internet banking, fraud monitoring
and teller automation applications.
Praveen Singh is a senior security engineer in Paladion’s
Application Security Testing team. Praveen has tested 30+
applications including payment systems, debit card
management systems, loan management applications and
core banking applications.
Raghu Nair is a senior security engineer in Paladion’s
Application Security Testing team. Raghu has tested 30+
applications including credit card management systems,
About the Authors
9
derivatives trading applications and core banking
applications.
Shalini Gupta is the Project Manager for Banking and
Finance at Paladion. She has tested 100+ banking
applications for security in the last three years. Her team
has tested 400+ banking applications for 30 banks in the
last seven years.
10
CONTENTS
Introduction ...................................................................... 12
The threat landscape ....................................................... 13
Defences employed ......................................................... 14
Goal of the book .............................................................. 16
Chapter 1: Approach to Security Testing ...................... 17
Preparing the threat profile ............................................. 19
Preparing the test plan ..................................................... 22
Chapter 2: Basic Tests and Techniques ......................... 26
SQL injection .................................................................. 27
Cross-site scripting (XSS) ............................................... 29
Cross-site request forgery (CSRF) .................................. 30
Directory brute forcing/Searching for defaults ............... 32
Weak authorisations ........................................................ 33
Weak session management ............................................. 35
Sensitive data in browser cache ...................................... 37
Over-reliance on client-side validation ........................... 38
Unencrypted traffic ......................................................... 39
Unhardened database ...................................................... 40
Weak password policies .................................................. 41
Poor error-handling mechanisms .................................... 42
Chapter 3: The Tools of the Trade ................................. 43
Web applications ............................................................. 43
Thick-client applications ................................................. 64
Terminal services applications ........................................ 75
Intercepting Java applets ................................................. 77
Embedded application ..................................................... 78
Web services application ................................................ 78
Mobile applications ......................................................... 80
Chapter 4: Security Testing Repository ........................ 82
Generic threat profile and test plan ................................. 83
Contents
11
Core banking ................................................................... 86
Internet banking .............................................................. 94
Web trading ................................................................... 105
Derivatives trading ........................................................ 110
Credit card payment management applications ............ 114
Debit card management system .................................... 119
Mutual funds management ............................................ 123
Loan management application ...................................... 127
Cheque management application .................................. 132
Overdraft calculator application ................................... 137
Adjustments and waivers application ........................... 141
Online remittance application ....................................... 145
Account opening tracker ............................................... 150
Back-office trading application ..................................... 153
Electronic payment switch ............................................ 156
Cash depositor ............................................................... 160
Teller automation machines .......................................... 163
ATM reconciler application .......................................... 168
Balance viewer terminals .............................................. 172
Customer care centre application .................................. 175
Interactive voice response system ................................. 178
Fraud detection software ............................................... 182
Chapter 5: Emerging Trends ........................................ 187
Emerging landscape of applications ............................. 187
New attacks on the horizon ........................................... 188
ITG Resources ................................................................ 190