Security Testing Handbook for Banking Applications

Security Testing Handbook for Banking Applications

ARVIND DORAISWAMY
SANGITA PAKALA
NILESH KAPOOR
PRASHANT VERMA
PRAVEEN SINGH
RAGHU NAIR
SHALINI GUPTA
Copyright Date: 2009
Published by: IT Governance Publishing
Pages: 191
Stable URL: http:/stable/j.ctt5hh5jh
  • Cite this Item
  • Book Info
    Security Testing Handbook for Banking Applications
    Book Description:

    Security Testing Handbook for Banking Applications is a specialised guide to testing a wide range of banking applications. The book is intended as a companion to security professionals, software developers and QA professionals who work with banking applications. The book is a manual for compliance with current and future regulatory compliance requirements; it may also be seen simply as a practical and comprehensive guide to best practice application security to support every person involved in this field.

    eISBN: 978-1-905356-83-6
    Subjects: Technology

Table of Contents

  1. Front Matter
    (pp. 2-4)
  2. FOREWORD
    (pp. 5-7)
    Alan Calder

    In the last 20 years, the Internet has become the core infrastructure for the vast majority of individual and financial transactions and, as organisations migrate to what is increasingly known as ‘cloud computing’, so organisational dependence on secure Internet transacting will increase.

    Of course, as the global economy goes digital, the global underworld follows suit. If money is stored on or moved around the Internet, the averagely intelligent criminal will migrate from physical (and often violent) crime to the more sophisticated, less dangerous and less violent options available online. The widespread growth in identify theft, supported by epidemics of phishing...

  3. ABOUT THE AUTHORS
    (pp. 8-9)
  4. Table of Contents
    (pp. 10-11)
  5. INTRODUCTION
    (pp. 12-16)

    Banks have always attracted wealth and crime alike. There have been numerous bank robberies, cheque frauds, etc. Before computers, banks used to fight the threat by having strong physical security and robust processes. Today the threat to banks is even greater, despite constant progress and innovation by the banks, equally matched by the criminals.

    Most banking operations today have been computerised and all data is in electronic format. Banks and their branches are part of a huge network with sensitive data being sent back and forth electronically. A number of the applications used by banks are now online on the...

  6. CHAPTER 1: APPROACH TO SECURITY TESTING
    (pp. 17-25)

    We’ve seen how important banking applications are and the kind of threats they are faced with. The most effective approach to securing them would be to follow a secure development lifecycle and take care of security right from the design and code level. This would work for future applications; but what about the thousands of applications already in use? How do we secure them before an attacker gets to them? How can we predict an attacker’s actions? We can’t do this without becoming attackers ourselves. That’s what application penetration testing is all about – first (with the application owner’s formal, documented...

  7. CHAPTER 2: BASIC TESTS AND TECHNIQUES
    (pp. 26-42)

    Let’s quickly summarise the steps involved in conducting a penetration test:

    Understand the application.

    Prepare the threat profile.

    Prepare the test plan.

    Execute the test cases.

    Prepare the report.

    In the previous chapter, we discussed the first three steps. We saw how a systematic approach is followed to arrive at an exhaustive threat profile. We also discussed how a test plan is built – for each threat all possible attacks are listed. During the discussion, we came across a number of attack techniques like SQL injection, cross-site scripting, cross-site request forgery and variable manipulation. It’s time to take a closer look...

  8. CHAPTER 3: THE TOOLS OF THE TRADE
    (pp. 43-81)

    Thus far, we have seen how to create threat profiles, create test plans and construct test cases. The actual testing is a combination of manual testing techniques and automated scanners. In this chapter, we’ll look at the tools used for testing applications. As different types of applications require different types of tools to test, we look at tools for several popular categories of applications:

    web applications

    thick clients

    terminal services

    Java applets

    web services

    embedded systems

    mobile/cell phones.

    The emphasis is on tools for web applications and thick client applications as they form the largest part of the applications today....

  9. CHAPTER 4: SECURITY TESTING REPOSITORY
    (pp. 82-186)

    In this chapter, we review the basic features of the most common banking applications and create their threat profiles and test plans. The applications we dissect are:

    core banking

    Internet banking

    web trading

    derivatives trading

    credit card payment management applications

    debit card management system

    mutual funds management

    loan management application

    cheque management application

    overdraft calculator

    adjustments and waivers application

    online remittance application

    account opening tracker

    trading back office application

    electronic payment switch

    cash depositor

    teller automation machines

    ATM reconciler application

    balance viewer terminals

    customer care centre application

    interactive voice response systems

    fraud detection software

    Before we create threat profiles and...

  10. CHAPTER 5: EMERGING TRENDS
    (pp. 187-189)

    As more economic activity is performed over interconnected networks, the sophistication of applications is increasing; at the same time, attacks are also increasing in sophistication.

    Traditional Internet applications are getting a facelift today with rich Internet applications. Commonly known as ‘Web 2.0’ applications, these applications support a rich browser-based interface using JavaScript libraries in the browser. These applications (also called Ajax applications – asynchronous JavaScript and XML – to show their foundation in JavaScript libraries) allow incremental page updates, and user interface features commonly associated with thick-client applications.

    Web 2.0 applications also enable greater interactivity between users and applications. Applications themselves may...

  11. ITG RESOURCES
    (pp. 190-191)