How Testing can save Financial Applications from the next HACK

How Testing can save Financial Applications from the next HACK

On October 20, 2016, The Economic Times (Indian business daily) reported that ‘3.2 million debit cards may have been compromised in India’ as a result of a security breach. The breach allegedly originated in Hitachi Payment Services that enabled fraudsters to steal information and consequently funds. Startling incidents like these further establish the need for testing in the Financial/Banking sector.

Experts have also identified malware that can particularly infect the point-of-sale (PoS) machines, promising higher rate of success to the hackers. Considering the fact that more number of people tend to shop than go to the ATM. A similar retail breach was reported in 2013 in the US at the retail chain Target.

In 2013, data from up to 40 million credit and debit cards of shoppers at Target got stolen by hackers. This happened at the peak of the holiday shopping season. Financial Analysts and market research firms have used this data to decipher the levels at which the security of financial applications is compromised.

This further emphasizes the urgency to build a comprehensive Testing strategy for the financial/banking sector. Moreover, it is important to evaluate the overall strategy by considering the current day challenges and probing malware.

What does a financial software facilitate and why is it complex?

Financial software/applications are complex and are built on the lines of financial information management. The software can be executed as an independent software or can be embedded into a financial information system (IS). Generally, a financial software incorporates all aspects of personal or business finance to offer multiple features – basic financial data management, transactions, budget management, personal/corporate account management, and assets management.

Additionally, a Financial App offers Multi-tier functionality to power numerous concurrent user sessions. For instance, a bank application operates with many other applications, namely, Bill Pay utility, trading accounts and business workflows to support various transactions and interconnected activities.

It involves Batch Processing and Real-Time processing, where the transaction processor can be a large capacity mainframe or a legacy system carrying out trillions of transactions per second. Resulting in processes that make the overall financial applications complex.

Summing up, following are the characteristics that enable a robust Testing strategy:

  • Multi-layered functionality to manage concurrent user sessions
  • Large scale integration for multiple activities
  • Real Time and Batch processing
  • Higher rate of transactions per second
  • Detailed reporting to track each activity
  • Strict auditing to handle customer issues
  • Disaster Management mechanism/robust back-up plan
  • Extensive storage system

Multi-layered interactions of a Banking application may involve:

  • End users interacting with the Web Server via a browser
  • Middle tier software that authenticates the input and output for Web Server
  • Database that stores data and processes
  • Transaction Processor to conduct several transactions per second

What are the essentials to consider while testing financial/banking applications?

Security Testing

With reference to customer/user experience and secure interface, security testing ranks high. Traditionally, security testing is considered towards the end of the testing cycle. However, with new-age challenges and malware infecting the financial domain, Security testing has come to the forefront.

With millions of transactions happening every second, stability and robustness of the financial app is absolutely critical. A single security breach can lead to long-term impact on the overall sector, losing out on credibility of the overall system.

Additionally, integration with third-party applications, emerging digital commerce platforms, complex workflows, and growing nexus between Social Media and mobile platforms is making financial apps vulnerable to threats from various sources and various ways.

So, protection of financial data from malicious attacks is imperative to prevent loss of credibility and recurring financial loss. Despite rising number of security boosting products in the market, there are growing incidents of security breaches. Security testing helps make your applications robust and secure for the market challenges. It helps fight the rising and emerging vulnerabilities in the environment.

Security Testing is one of the major steps in the overall Application Testing Cycle. It ensures that the application complies with Federal and Industry standards and gets rid of web vulnerabilities that can expose critical data to a hacker or malicious attacker.

Performance Testing

What if the mobile banking application installed on your device refuses to integrate with your insurance provider, resulting in failure and delay in premium payment? Yes, this could be disappointing and inconvenient for a user.

This drives the need for performance testing applications to boost and ensure customer satisfaction. With financial services institutions constantly expanding across segments and markets, it is important to ensure that the application used by the end customer can take the load and ensure the desired outcome.

Performance Testing/Engineering can help predict, test, and handle loads during critical situations to avoid breakdowns. Further it ensures performance, scalability, resilience, and reliability of the application. Today, financial institutions are venturing in the marketplace with complex application that requires rapid application development cycles.

At the same time, it is important to ensure that the quality of the application is not compromised. Performance Testing brings all this together:

  • It helps monitor and report activities
  • Boosts productivity
  • Brings down the costs resulting from defects
  • Cuts down-time and ensures customer satisfaction

Functional Testing

Functional testing involves Application testing, System integration testing, Regression testing, and User Acceptance Testing. Banking software/applications deal with sensitive financial data and does complex calculations in the background that involve money transfers and highly sensitive data. So, it is important to execute end-to-end functional testing of the application.

What does Functional Testing of banking/financial applications entail?

  • Test cases: This involves listing down the functional requirements, where every business scenario involves a few positive and negative test cases.
  • Verification of test cases: This involves verification of the elaborated test cases in line with the business scenarios, ensuring that every business scenario is covered.
  • Executing functional tests: The tests are involved with basic knowledge of finances and accounting, where either manual or automated testing is put to work.

At Gallop, we understand that Security of your applications is critical for your business and above all how critical it is for the overall financial services sector. One of the top automobile financing firms in the US partnered with Gallop’s Security Testing services to create hack-proof applications.

The core challenge and requirement of the client was to keep the applications secure. The client reached out to Gallop for penetration testing of their flagship web application. One of the major challenges was manual execution of security tests by complying with stringent timelines and regulations.

Focusing on the client’s business objective, Gallop experts executed extensive security assessment tests for the web application to identify security loopholes and vulnerabilities. Apart from the other important aspects of Security Testing, the team implemented custom execution methodology based on the application’s technology and business logic to accelerate manual security testing.

Apart from the fact that the client’s business objective was served, it saved the brand from collateral damage and fixed some major vulnerability. A thorough Security testing strategy further instilled added confidence amongst the end users.

Gallop team has worked with acclaimed players in the sector and understands its intrinsic challenges. Our unique Managed Security Testing Services model combines the deep understanding of industry best practices and decade long expertise in software testing services delivery. We collaborate with businesses in North America to identify vulnerabilities and fix them way ahead in the application test cycle.

With the world economy going through phases of evolution, challenges faced by the banking/financial services sector are endless. Connect with Gallop experts to build a comprehensive testing strategy to make your financial applications secure and reach out to your end users with confidence.

The opinions expressed in this blog are author's and don't necessarily represent Gallop's positions, strategies or opinions.

Testing Banking & Financial Applications: Challenges, Trends, & Best Practices

Testing Banking & Financial Applications: Challenges, Trends, & Best Practices

“The most significant trend of 2016 will be the ‘platformification’ of banking” ~ Cornerstone Advisors

Banking and Financial Services industry has been a forerunner in adapting and scaling up to the changes as and when they happen in the IT world. It is, thus, no surprise that Digital Transformation has been indicated by the upcoming trends and digital initiatives like Mobile Wallets, P2P transfers, Ping Pay, Omni Channel Banking etc. to be is the future of BFSI Industry. As per Juniper Research, by 2017, more than 1B mobile subscribers (15% of global mobile subscribers) will be using mobile banking.

The Banking domain is replete with ever changing and cutting edge technology, with intricate functionalities intertwined into the applications. Being at the center of any commercial activity, it has a huge functional framework spread across Cards and Payment Gateways, Delivery Channels, Specialised service offerings such as Corporate Banking, Centralised Banking, etc.

Secure and smooth support for transactions, ease of access, and performance are vital for any banking application to succeed.

Challenges and Trends in the Banking Sector

  • Omni-channel Banking – With almost everyone getting hooked to the concept of anytime, anywhere banking, financial houses are trying to launch digital only banks – that is, banks without branches. Offering end-to-end functionality of a regular bank on the minimal and highly diverse front-end of a mobile poses a huge challenge.
  • Web Security, Regulatory & Compliance – Banking portals usually are major targets for hacking and fraudulent activities and thereby penetration testing poses a significant challenge. Regulation of Banks became even more critical after the 2008 Banking Crisis as improper functioning of a Bank has a big, negative impact on regular life. Today, banking institutions need to comply with international security standards such as BASEL III or BCBS 239 (addresses the Banking systemic risk and the operational risks of the banks), FATCA and AML (keep vigil on tax evasion and other illegal monetary transactions), SEPA (takes care of cross border payment regulation), and PCI DSS make testing of financial applications very important – and very challenging.
  • Performance Failures – Performance failures in banking portals can have a serious effect on daily life. Meeting the required performance levels involves taking into consideration the infrastructure, connectivity, and integration with the backend. The transaction spikes must be monitored at regular intervals and Stress and Load tests must also be regularly performed to ensure support for multiple transactions at any given point in time.

Some other IT trends already showing their impact and presence in the field of finance are Testing Center Of Excellence (TCOE), big data analytics, cloud, and virtualization. Even though these are not very pocket-friendly technologies to be maintained, they are here to stay and will continue to grow.

Additionally, some other commonly faced challenges in testing Internet Banking are:

  • Variety in internet connections and browsers
  • Usage paths
  • Usability testing
  • Security and Performance testing

And then there are specific challenges in Testing Mobile Banking Apps

  • Broad range of devices
  • Configuration and design vulnerabilities
  • Security Testing
  • Time to Market

Best Practices

A few best practices that will help manage the aforesaid challenges in testing banking applications are:

  • A clearly defined, endtoend testing methodology
  • Performing overall testing that encompasses all the requirements and workflows
  • Testing the application for performance, security, and functionality
  • Additional testing of the application for the UI, UX, integrity of Data, and support for multiple and concurrent users

Trying to implement the above mentioned practices require large investments both in terms of expenses and efforts, and a trusted partner can help banks save a lot of money and time in addition to ensuring business continuity and protection.

The team at Gallop Solutions specializes in providing testing solutions to the banking and financial services sector. Register for an informative and thought provoking webinar on Apr 13, 11:00 AM EST to learn how you can benefit from the latest test strategies that are being laid out to help you succeed in the digital age to provide world class experience to Mobile Banking customers.

Banner_10

The opinions expressed in this blog are author's and don't necessarily represent Gallop's positions, strategies or opinions.

Avoid Financial Glitches with well-tested Integrated Trading Platforms

integrated-trading-platforms

Integrated Trading Platforms (ITPs), equipped with advanced trading tools, provide opportunities to trade seamlessly in equities, currencies & commodities. These are multi-asset trading platforms which are trusted to provide reliable performance 24×7. Given the tremendous volume of concurrent transactions which are executed through these platforms, it is imperative that the system is stable & secure at its peak performance and is compatible with the user-device’s  operating system and network carrier combinations.

An ITP is a perfect example on an intricate relationship between business and technology. Add the inclusion of the Mobile initiatives and the ITP is a 24/7 financial activity enabler ‘on the go’. What sets the platform apart from other IT initiatives is the sheer scope of real time data absorption and communication with absolutely real implications to customers, companies and markets.

In addition to the technical experts and decision makers in the BFS verticals, this blogpost holds equal relevance to stock brokers, banks, financial regulators and most importantly, customers.

Get the ITP Security sanitized

While security is a compelling concern for any IT initiative, it is definitely a top priority business requirement for ITP which consolidates real time financial information and enables transactions in real time.

Security vulnerabilities which are inherent to the ITP tend to go undetected. During certain scenarios of the external interfaces, these inherent vulnerabilities become active and pose a threat to the security. In addition, the access of the ITP from mobile devices makes it a vulnerable to penetration from a wider device range and usage scenarios. And with IPOs being listed, huge multiples of regular concurrent load gets on ITPs. Quality and stability then becomes significant differentiators for a greater buy-in for the Integrated Trading platforms.

Get the ITP’s Compatibility validated

ITP exists across the mobile and desktop landscape and is expected to offer a consistent experience on the combination of devices that are used by the customers. This makes compatibility a decisive factor in the acceptance of the platform, usage, conversions and a consolidated of a wider customer base.

Get the ITP’s Performance assessed

On September 15, 2014, South Africa’s Johannesburg Stock Exchange experienced a system failure and caused a two hours stoppage.

Source: JSE Stoppage – http://af.reuters.com/article/investingNews/idAFKBN0HA0IX2014091

Apart from the scheduled trade times which vary with the time zones and stock markets, most of the other features like information updates, estimates, preview, research reports and transfer options are functional 24×7. These characteristics of ITP give rise to situations where concurrency in customer interactions can be expected 24×7. In case of incidents like stock price rise or fall, ITP not only needs to be real-time but also need to sustain huge loads of buy-sell transactions.

Get the ITP’s functionality validated

August 2012, a major trading firm roiled the prices of 140 stocks listed on the New York Stock Exchange. The cited reason was an unspecified technological break down.

Source: Nyse glitch halts markets – http://www.huffingtonpost.com/2012/08/01/new-york-stock-exchange-glitch-volatility-halted_n_1728549.html

The financial services of an ITP include transactions with an enormous combination of trade/purchase rules, brokerage charges per certain amount of shares, percentage of rise/fall etc. Thus the rule configuration and communication is a decisive factor for all the stakeholders. In a way, every transaction needs to be supported by a reliable yet smart calculator to contain the minimum as well as maximum limits.

Get the ITP’s UI validated

An ITP enables transactions among customers, financial institutions, consummation of mutual funds, purchase, sale, dividends etc. The UI is the critical area with input fields and execution options that keep the stakeholders engaged. Testing the web and mobile UI is crucial to ensure the ITP offers error free digital interactions.

Get the ITP’s regression test automated

ITP supports the operations in the financial markets which are highly volatile. The financial information is updated real-time, daily, monthly, quarterly and annual intervals.

From rapidly fluctuating share prices to a 52 week performance, the list of stocks in profit/loss and activity, ITP has to make it conducive for the stakeholders to update and to stay updated 24/7.

Much of the surprise defects tend to be introduced at or during the updates of the features, interface options of data management. This is why a regression test automation framework that leverages the right tool set and incorporates the emerging changes goes a long way in making the ITP stable, reliable and manageable.

Get the ITP tested

Despite “widespread anticipation that the Facebook IPO would be among the largest in history with huge numbers of investors participating, a design limitation in Nasdaq’s system to match IPO buy and sell orders caused disruptions to the Facebook IPO. Nasdaq then made a series of ill-fated decisions that led to the rules violations,” – SEC Statement on Nasdaq

Source: SEC Slaps fine in NASDAQ – http://www.cnbc.com/id/100736915#

In August 2013, a technical glitch in an internal computer system  of Goldman Sachs (GS) caused the firm to issue incorrect equity options orders to various options exchanges.

Source: http://money.cnn.com/2013/08/21/investing/goldman-sachs-trading-glitch/index.html?iid=EL

The business scenario can be simplified into one application connecting multiple stakeholders, enabling multiple transactions and incorporating updates in real-time. The margin of error is expected to be reduced across all the processes and operations. Given the implications of defects in such a volatile environment, the ideal solution would be to make the ITP testable.

Testability increases the visibility of the defects in the platform before, during and after the scenarios are executed. This strengthens the risk mitigation strategies, accelerates testing and improves the precision of the remedial measures.

The opinions expressed in this blog are author's and don't necessarily represent Gallop's positions, strategies or opinions.

Testing Policy Administration Systems

testing-policy-administration-systems

Insurance is a policy guided, product specific, service oriented and inclusive vertical. Hence the business processes consolidate frequent updates, interactions, transactions and communication among groups of stakeholders ranging from agents, customers, marketing professionals and IT teams.

The increasing sophistication of the vertical, coupled with its reliance on IT has given rise to different versions of PASs (Policy Administration Systems). A PAS is an application which enables an insurer to manage End-to-End life cycle of insurance policies, from issuance of Quote till renewal, suspension or lapse of the policy. Validation of PAS includes Policy holder’s details like address, age and additional policy holder’s eligibility rules, verification of additional factors according to LOBs (Line of Business) like Property & Casualty, Catastrophe Coverage and Speciality Lines Policies. Its key function is to perform the complete policy life cycle, from inactive state till Renewal

The PAS ecosystem

The demands on the IT system are enormous because the applications include portals for the insurance carriers, agents, policy holders, potential customers and customer relationship executives. While it is evident that the application ecosystem is complicated, the requirements of underwriting profitability, estimate generation and rating engine make it even more challenging for an organization.

Since insurance is often mandated by governments and institutions, there exists an enormous population of bulk policy holders in addition to the individual customers. Ensuring connection among such a gigantic ecosystem of institutional insurance plans, individual policy holders and claims processing presents a formidable challenge much bigger than what can be imagined. A lot depends on the robustness of the software to handle millions of policies, plan sponsors, federal and state legislations, plan details and claim rules, concurrently, real-time.

The scope and impact of defects tends to increase with the coverage and expanse of the application. The defects can have negative impact in terms of flawed transactions, reduced customer base, miscommunicated policy information and compromised data integrity. A single decimal point shift can either mean ten times the payment during claim settlement. Considering tens of thousands of claims being processed in a day, the business loss for a seemingly small defect can run into millions of dollars.

That is why Software Testing holds a high position in the PAS priority list.

A successful PAS demands Testing that incorporates business logic and encompasses the external interfaces as well as the most intricate parts of the IT system. To ensure comprehensive coverage and reduce defect density, it is crucial to incorporate the following components into the test strategy:

  • Portals: Producer, Prospect and Policy holder
  • Underwriting profitability – Underwriting and Rating engine
  • Servers: Product Server and Policy Server
  • Forms Management – Document Management – Access Control – Identity Management
  • UI Generator – Policy Admin UI – Product Admin UI
  • Service – Rating, Underwriting, Access Control, Policy, Form definition and selection
  • API – Authorization and Authentication for Access Control and Identity Management components, Rule execution and Document Access
  • Claim process, retention and cross sell opportunities
Testing Cloud based PASs

Testing a PAS in the context of a Cloud is important and equally challenging because it also includes the compliance of security and continuity to the financial institutions and regulatory authorities. Irrespective of the scope and extent of the coverage, it is crucial for a cloud based PAS to undergo the following:

  • Quote Validations
  • Binding Validations
  • Endorsements/Mid-Term Change Validations
  • Renewals Validations
  • Interfaces Validations
  • Validation of Daily Events and Quote Eligibility Rules
  • Inclusion criteria and Premium value for Catastrophe Coverage
  • Brokers, agents and distributor database
  • Quote-Bind-Issue workflow for multiple products for Speciality line Policies
  • Additional drivers, Vehicle Information, Driver and Vehicle history for P&C Policies
  • Custom over rides in Rating and Risk evaluation
  • Report extractions in MSWORD and MS-EXCEL Formats

At a time when intuitive user interfaces are being deployed to ensure greater service with automated underwriting to ensure quote and bind in solo sessions, the health of the PAS depends on the security, performance and utility. When a single application can connect stakeholders, consolidate transactions and create an insurance cover for a geographically diverse user base, isn’t it important to ensure that the quality of the PAS is visible, measurable and actionable?

The opinions expressed in this blog are author's and don't necessarily represent Gallop's positions, strategies or opinions.