Foreword – Security Testing Handbook for Banking Applications

In the last 20 years, the Internet has become the core
infrastructure for the vast majority of individual and
financial transactions and, as organisations migrate to what
is increasingly known as ‘cloud computing’, so
organisational dependence on secure Internet transacting
will increase.
Of course, as the global economy goes digital, the global
underworld follows suit. If money is stored on or moved
around the Internet, the averagely intelligent criminal will
migrate from physical (and often violent) crime to the more
sophisticated, less dangerous and less violent options
available online. The widespread growth in identify theft,
supported by epidemics of phishing and pharming attacks,
is just the most visible sign of this criminal migration from
the physical world to the digital one.
Commercial self-interest should drive financial
organisations to ensure that the applications that support
their online activity, and those of their customers, are robust
and secure. Oddly, it doesn’t seem to be an adequate driver
for increased online security.
As usual, regulators are stepping into the breach. All EU
countries, and many of their OECD trading partners now
have well-established data protection legislation, and this is
increasingly supported by fines and other non-financial
sanctions. Very substantial quantities of personal data are
collected and held electronically and, therefore, every data
controlling organisation has to ensure that its applications
are secure. Every US State now has some form of data
breach legislation, mandating specific actions required of
organisations if and when the security around personal data
they hold is breached, and these actions can have
significant costs and non-financial impacts.
The EU is
discussing exactly such a directive to be extended across all
its member states.
The Payment Card Industry Data Security Standard (PCI
DSS) mandates specific security controls for all merchants
that accept payment cards, whether online or offline. PCI
DSS contains specific requirements around application
security and application security testing. Of course, this is
particularly important for online shopping carts and
payment card applications. Compliance with PCI DSS is
beginning to be mandated by US State legislatures.
In the US, any company that regularly extends or merely
arranges for the extension of credit to individuals has to
comply with what are known as the ‘Red Flag Rules’ with
effect from 1 November 2008. These rules require
companies to take the possibility of identity theft seriously,
and to identify and ‘red flag’ specific forms of activity that
indicate the possible existence of identity theft. The Red
Flag Rules apply to a wide range of accounts, including
credit card accounts, mortgage loans, vehicle loans, margin
accounts, mobile phone accounts, utility accounts, and
cheque and savings accounts. Companies are required,
under this legislation, to take reasonable measures to ensure
the safety of sensitive consumer information. The Rules are
intended to ensure that organisations detect, prevent and
mitigate the risk of identity theft. None of this can be done
today without effective application security, and effective
See the IT Governance Report: Data Breaches: Trends, Costs and Best Practices
available from
application security is directly dependent on the
effectiveness with which it has been tested. This book could
therefore be seen as a manual for compliance with current
and future regulatory compliance requirements; it could
also be seen simply as a practical and comprehensive guide
to best practice application security that should guide and
support every person involved in this field.
Alan Calder, Ely, February 2009