How Testing can save Financial Applications from the next HACK

How Testing can save Financial Applications from the next HACK

On October 20, 2016, The Economic Times (Indian business daily) reported that ‘3.2 million debit cards may have been compromised in India’ as a result of a security breach. The breach allegedly originated in Hitachi Payment Services that enabled fraudsters to steal information and consequently funds. Startling incidents like these further establish the need for testing in the Financial/Banking sector.

Experts have also identified malware that can particularly infect the point-of-sale (PoS) machines, promising higher rate of success to the hackers. Considering the fact that more number of people tend to shop than go to the ATM. A similar retail breach was reported in 2013 in the US at the retail chain Target.

In 2013, data from up to 40 million credit and debit cards of shoppers at Target got stolen by hackers. This happened at the peak of the holiday shopping season. Financial Analysts and market research firms have used this data to decipher the levels at which the security of financial applications is compromised.

This further emphasizes the urgency to build a comprehensive Testing strategy for the financial/banking sector. Moreover, it is important to evaluate the overall strategy by considering the current day challenges and probing malware.

What does a financial software facilitate and why is it complex?

Financial software/applications are complex and are built on the lines of financial information management. The software can be executed as an independent software or can be embedded into a financial information system (IS). Generally, a financial software incorporates all aspects of personal or business finance to offer multiple features – basic financial data management, transactions, budget management, personal/corporate account management, and assets management.

Additionally, a Financial App offers Multi-tier functionality to power numerous concurrent user sessions. For instance, a bank application operates with many other applications, namely, Bill Pay utility, trading accounts and business workflows to support various transactions and interconnected activities.

It involves Batch Processing and Real-Time processing, where the transaction processor can be a large capacity mainframe or a legacy system carrying out trillions of transactions per second. Resulting in processes that make the overall financial applications complex.

Summing up, following are the characteristics that enable a robust Testing strategy:

  • Multi-layered functionality to manage concurrent user sessions
  • Large scale integration for multiple activities
  • Real Time and Batch processing
  • Higher rate of transactions per second
  • Detailed reporting to track each activity
  • Strict auditing to handle customer issues
  • Disaster Management mechanism/robust back-up plan
  • Extensive storage system

Multi-layered interactions of a Banking application may involve:

  • End users interacting with the Web Server via a browser
  • Middle tier software that authenticates the input and output for Web Server
  • Database that stores data and processes
  • Transaction Processor to conduct several transactions per second

What are the essentials to consider while testing financial/banking applications?

Security Testing

With reference to customer/user experience and secure interface, security testing ranks high. Traditionally, security testing is considered towards the end of the testing cycle. However, with new-age challenges and malware infecting the financial domain, Security testing has come to the forefront.

With millions of transactions happening every second, stability and robustness of the financial app is absolutely critical. A single security breach can lead to long-term impact on the overall sector, losing out on credibility of the overall system.

Additionally, integration with third-party applications, emerging digital commerce platforms, complex workflows, and growing nexus between Social Media and mobile platforms is making financial apps vulnerable to threats from various sources and various ways.

So, protection of financial data from malicious attacks is imperative to prevent loss of credibility and recurring financial loss. Despite rising number of security boosting products in the market, there are growing incidents of security breaches. Security testing helps make your applications robust and secure for the market challenges. It helps fight the rising and emerging vulnerabilities in the environment.

Security Testing is one of the major steps in the overall Application Testing Cycle. It ensures that the application complies with Federal and Industry standards and gets rid of web vulnerabilities that can expose critical data to a hacker or malicious attacker.

Performance Testing

What if the mobile banking application installed on your device refuses to integrate with your insurance provider, resulting in failure and delay in premium payment? Yes, this could be disappointing and inconvenient for a user.

This drives the need for performance testing applications to boost and ensure customer satisfaction. With financial services institutions constantly expanding across segments and markets, it is important to ensure that the application used by the end customer can take the load and ensure the desired outcome.

Performance Testing/Engineering can help predict, test, and handle loads during critical situations to avoid breakdowns. Further it ensures performance, scalability, resilience, and reliability of the application. Today, financial institutions are venturing in the marketplace with complex application that requires rapid application development cycles.

At the same time, it is important to ensure that the quality of the application is not compromised. Performance Testing brings all this together:

  • It helps monitor and report activities
  • Boosts productivity
  • Brings down the costs resulting from defects
  • Cuts down-time and ensures customer satisfaction

Functional Testing

Functional testing involves Application testing, System integration testing, Regression testing, and User Acceptance Testing. Banking software/applications deal with sensitive financial data and does complex calculations in the background that involve money transfers and highly sensitive data. So, it is important to execute end-to-end functional testing of the application.

What does Functional Testing of banking/financial applications entail?

  • Test cases: This involves listing down the functional requirements, where every business scenario involves a few positive and negative test cases.
  • Verification of test cases: This involves verification of the elaborated test cases in line with the business scenarios, ensuring that every business scenario is covered.
  • Executing functional tests: The tests are involved with basic knowledge of finances and accounting, where either manual or automated testing is put to work.

At Gallop, we understand that Security of your applications is critical for your business and above all how critical it is for the overall financial services sector. One of the top automobile financing firms in the US partnered with Gallop’s Security Testing services to create hack-proof applications.

The core challenge and requirement of the client was to keep the applications secure. The client reached out to Gallop for penetration testing of their flagship web application. One of the major challenges was manual execution of security tests by complying with stringent timelines and regulations.

Focusing on the client’s business objective, Gallop experts executed extensive security assessment tests for the web application to identify security loopholes and vulnerabilities. Apart from the other important aspects of Security Testing, the team implemented custom execution methodology based on the application’s technology and business logic to accelerate manual security testing.

Apart from the fact that the client’s business objective was served, it saved the brand from collateral damage and fixed some major vulnerability. A thorough Security testing strategy further instilled added confidence amongst the end users.

Gallop team has worked with acclaimed players in the sector and understands its intrinsic challenges. Our unique Managed Security Testing Services model combines the deep understanding of industry best practices and decade long expertise in software testing services delivery. We collaborate with businesses in North America to identify vulnerabilities and fix them way ahead in the application test cycle.

With the world economy going through phases of evolution, challenges faced by the banking/financial services sector are endless. Connect with Gallop experts to build a comprehensive testing strategy to make your financial applications secure and reach out to your end users with confidence.

The opinions expressed in this blog are author's and don't necessarily represent Gallop's positions, strategies or opinions.

Resilience is critical. How can Security Testing build it?

How can Security Testing build it?

What is ‘Pegasus’?

August 25, 2016 Apple rushed across to all iPhone users with a security update to prevent their handsets from getting infected by the ‘Pegasus’ spyware. ‘Pegasus’ has been considered by experts by far the ‘most sophisticated’ software created to infect and spy into smartphones. The software has been created by an Israeli company, the NSO Group to target Ahmed Mansoor, a prominent dissident in the United Arab Emirates.

This news and discovery is an absolute shocker for not just the iPhone users, but also for smartphone users around the globe and the overall cyber security world. It has raised eyebrows and questioned the secure interface available for our mobile devices.

Let’s take the larger picture into perspective.

Economies around the world are today going through phenomenal changes, resulting in chaos on the political edge. Technology is being unethically abused and exploited as a weapon in these modern day wars. Vulnerabilities in terms of technology and devices are on the rise, building up the ‘insecurity’ scare.

Is Security Testing an answer to determine and bring down the ‘vulnerability’ scare?

Yes, it could be an answer for some obvious reasons:

  • Security testing ensures that the application or software builds a secure interface. Practically, it checks the software / application for its vulnerability to external attacks, namely hacking of the system or unauthorized log in.
  • It ensures integrity of the data at hand and at the same time checks the required functionality.
  • Security testing checks and determines any information leakage with various mechanisms like encryption, firewall, applying a range of software, etc.
  • It determines and helps salvage the software / application in an event of critical attack.

Essentially, Security testing covers a gamut of security testing concerns, namely, privacy, integrity, credibility, accessibility, and authorization.

 The market for mobile applications is already booming and will see further growth in times to come. It is estimated by market forces that, by 2017 over 268 billion App downloads and $77 billion in revenue will be grossed by the App market. With 46% of applications being paid for, the monetary health of the industry seems strong.

With Apps being installed and used for a range of jobs and intentions, having a robust testing framework for Security Testing is indispensable. With reference to Application Security Testing, experts have validated that interactive testing holds more relevance for estimating an application’s security factors.

Unlike Static and Dynamic tools, Interactive Application Security Testing (IAST) operates differently. While Dynamic Application Security Testing (DAST) solutions test the application’s external factors (outside-in) to identify security issues, Static Application Security Testing (SAST) solutions test the internal factors (inside-out) by checking the source code, byte code, or binaries.

IAST makes both the ends meet and covers up for the gaps created by DAST & SAST.

IAST works with information from the application during runtime, which involves data flow, controls, libraries, and connections in order to effectively identify vulnerabilities. This is the very reason why interactive testing works successfully for ensuring application’s security.

Considering the application is tested while it runs, IAST helps figure out how any situation can be salvaged in case the application breaks down due to its possible vulnerabilities. In a way, IAST works towards determining situations of crisis and builds up resilience.

Likewise, a software security glitch can lead to security lapses across any industry and not just for the mobile devices / applications market. The intensity of Security lapses could multiply for highly sensitive sectors like defence, automobiles, and Banking.

In 2013, Nissan recalled a set of vehicles to address an issue related to air bag seat sensors. A similar recall was done even in 2014, resulting in almost 1 million vehicles getting recalled from the market. Further investigation cleared that the issue with the airbags was due to a software failure, where the sensor was unable to recognize that an adult was seated in the passenger’s seat. As a result, the airbag would not open in case of a crash. This issue just could not get resolved and got listed in the worst software bugs of 2015. The case was further investigated by the U.S. safety officials.

Such glitches create a sorry figure for globally acclaimed brands and can claim serious fall for the business. On the whole, this can lead to a massive blow for the brand’s credibility in the marketplace.

A range of robust Security testing tools combined with a comprehensive testing strategy can empower enterprises / brands to not only identify the critical glitches within the software, but also help the application / software rebound and recover crucial data.

Gallop has worked with enterprises and brands to address business-critical security challenges with their applications / software. With key focus on Network security, Mobile application security, Cloud application security, and Source code review, Gallop’s 5 step security test lifecycle helps build your application’s security.

The opinions expressed in this blog are author's and don't necessarily represent Gallop's positions, strategies or opinions.

Detecting Software Security issues before Hackers Strike

Detecting Software Security issues before Hackers Strike

In today’s connected IT world, the damage caused due to online security breach is well known. The brand and reputation of the enterprise is damaged if hackers gain access to corporate systems, and it also costs a lot of dollars in order to repair the damage caused. The consequences are similar for businesses dealing in creating embedded and mobile systems when their software are hacked.

The IT network is the path travelled by hackers to gain access to critical systems. Because of this, the general tendency being followed is deploying the security methods to detect and prevent breaches at the network level. Firewalls are used by Enterprises as an attempt to restrict the unauthorised access and analytics is being widely used to detect abnormal data usage activities which can be used as a source to signal an attack. But, many businesses don’t realize that if steps are taken much earlier in the process, it will be easy as well as cost effective to prevent security breaches. It starts with the testing the software code used to power the business applications and the embedded systems. Developing the applications with secure software code helps an enterprise prevent attackers from accessing valuable data and also save a lot of money, time and effort spent in mitigating it.

Security Starts with Developers

If the security issues are addressed in the software development phase, it will save almost 80-90% of the cost and effort spent compared to when dealing with issues in production. Hence, the developers should be ideally positioned and equipped to protect the businesses from heavy costs involved, bad publicity and customer dissatisfaction caused due to security breach.

Several Government and Industrial Organizations have also come out with standards to try and mitigate the damage caused by security breaches in order to achieve secure software codes. E.g. CERT Secure Coding Initiative works in collaboration with the Software Developers and the Organizations developing Software to reduce the vulnerabilities which result from coding errors that are developed in software before deployment. Security Technical

Implementation Guides (STIGs) contains the technical guidance on locking down information systems and software that may be vulnerable to malicious computer attack.

These Organizations working behind standards are well aware of the risks that are involved when hackers look for avenues and attack. E.g. If the website of any retail giant is hacked and Credit Card details are exposed, it will make the headlines globally, letters will have to be sent to the affected and also the affected ones will be compensated by the retailer. The banks will eventually have to replace the Debit/ Credit Cards to avoid future risks. All this will lead to loss of a huge amount of money. If the attackers target industries like Automotive, Oil and Gas, etc. then the consequences may be even more severe as it may lead to fatal accidents, explosions, etc. Hence, the role of Developers is of utmost importance in order to analyse the security breach during development and deploy methodologies to avoid them.

Prevention is the Best Medicine

Keeping the enterprise software applications and embedded systems secure is like managing the health of a person by preventing attacks from infections and other disease history. The best treatment method to avoid any security issue is prevention and it is best if it starts early. Many-a-times software developers are clueless on how to develop more secure software and what approach to follow in order to achieve the same.

The best practice to be followed to achieve the objective of developing secured codes is to educate and arm the Software Development Organizations with the right set of tools to help prevent the threats/attacks. Some of these tools may include Static Code Analysers which can help automate the process of detecting potential security vulnerabilities in the source code and help in identifying where open source code is used in software so that vulnerabilities can be tracked and avoided. The usage of right tools will help the Developers to simplify the approach, shorten the duration and improve the process of detecting security threats in software and mitigate it easily.

Gallop can help you in every stage of software development lifecycle to deliver a superior end product. Please contact our security testing specialists for a free assessment.

gallop-software testerAbout the Author: Abhijeet Srivastava is an Associate Manager at Gallop Solutions. He is a part of Enterprise Solutions Group which primarily helps convert Leads to Deals by devising the best solutions. He holds a B.Tech in Electronics & Communication Engineering from Sikkim Manipal Institute of Technology and PGDM from TAPMI, Manipal. His Core Skills are Business Analysis, Sales pitch, Architecting Solutions, building Proposal, etc.
The opinions expressed in this blog are author's and don't necessarily represent Gallop's positions, strategies or opinions.

10 Critical Activities to Test Security of Mobile Applications

10 Critical Activities to Test Security of Mobile Applications

3G and 4G network enabled smart phones are today being used more and more for accessing the Internet, for performing financial, business, and social transactions, and for media consumption. However, the safety of the data being consumed by the end user using the apps distributed via mobile application stores, poses a big security issue.

To add to this, Gartner predicts that almost 25% of organizations will launch their own apps by 2017.

While this will make creating new apps much more efficient, it may also become a reason-of-feast for the hackers as they will have more to hack into. It’s only a full-fledged security testing enabled environment that will save the apps (and the companies) from otherwise leaking a big load of personal data from the mobiles.

In short – security of the apps will be vitally business-critical.

So, what can be done about this? What really is needed?

An app testing strategy that will not only analyse the security risks involved of using an app on the smartphones – but also support in eliminating the same.

When the men-in-the-middle (MITM) attack apps that communicate sensitive information, and manipulate the same for their benefit, a secure SSL certificate validation* can mitigate the risk. However, this is easier said than done as billions of app users use risky untrusted networks, making them an easy prey to the MITMs.

All mobile apps fall in one of the following three main categories:

  • Native apps – These are written to run only on a specific platform and supported devices. For example, an iOS app runs only run on iPhone.
  • Web applications – These are built using standards like HTML5 and can be accessed by any mobile device.
  • Hybrid applications – These apps usually have a layer of native application around a Web-based user interface and provide the best of both worlds.

Gartner analysts suggest that more than 50% of deployed apps will be hybrid by 2016 – for all the obvious reasons.

Mobile Security Testing Process – An Overview

Like everything else, providing security testing for apps needs a method to overcome the madness. Here are three basic steps suggested by experts in the field that must be performed to achieve the desired objective:

  1. Intelligence Gathering (gather as much as possible information about the app)
  2. Threat Modeling (identify threats for the app – specific or prepared)
  3. Vulnerability Analysis (identify vulnerabilities in the app with the previous created test cases using Dynamic methods (Passive network monitoring and analyzing), Runtime analysis (analyzing the communicating process for internal components (Android: Intents; iOS: objc_msgSend calls), and Forensic methods (Timeline analysis)

Reference: Security Testing Guidelines for Mobile Apps by Florian Stahl & Johannes Ströher

10 critical activities to be performed to make apps secure

At a broad level, we need to test the following to ensure mobile app security: Data leakage, flow, and storage capabilities, encryption, authentication, server-side controls, and points of entry.

Ten specific activities to be performed while testing the Security of Mobile Applications are:

  1. Automated security testing of mobile applications for multiple mobile devices across multiple platforms over diverse networks
  2. Use of a cloud-based mobile Testing Lab that enables uploading locations or the actual apps themselves for testing
  3. Performance of a huge variety of automated security tests for identifying embedded spywares, viruses, Trojans, data privacy, data leakage, unsolicited network connections, etc.
  4. Dynamic analyses and testing of apps in labs providing the required environment to verify security issues such as insecure file system, insecure data transmission, unsafe data storage, privilege access violations, etc.
  5. Analyses of results for each mobile application.
  6. Assessment of automated code that helps IT teams secure mobile apps in agile-based environments.
  7. Inspection of all features of the apps in real-time in controlled environments, and comparison of the results against a plethora of known applications.
  8. Assessment of the apps using binary static analysis that expose malicious capabilities and vulnerabilities such as leakage of information.
  9. Assessment of whether or not an app has been built according to the peculiar demands of compliance in your industry, as it is vital to follow the right standards for regulations and mandates.
  10. Last – but definitely very important – keep checking and testing for the new security threats that keep surfacing ever so often.

Conclusion

To cover all the bases and ensure that effective testing is performed, a third-party organization with the right expertise can prove to be your best bet. At Gallop, security testing forms a critical part of our mobile test strategy. Our security testing is thorough and makes use of reusable test scenarios so that your app is secure and your customers happy. Our tool agnostic test automation frameworks ensure accelerated testing so that you get higher productivity and an enviable time to market.
* A study conducted in late 2012 established that almost 17% of the tested Android apps do not fully validate SSL certificates.

Banner_06

The opinions expressed in this blog are author's and don't necessarily represent Gallop's positions, strategies or opinions.

The Importance of changing QA mentality for Rich Internet Application (RIA) Security

The Importance of changing QA mentality for Rich Internet Application (RIA) Security

Rich Internet Applications (RIA) offer crisper desktop UI’s in comparison to traditional web apps. RIAs come with the frameworks such as Flash, Silverlight, Ajax etc. that allow developers to create incredibly responsive apps. The user does not have to wait for long server calls, which results in a smooth user experience that makes it seem to look like a desktop app, but with the low memory burden of a regular web app.

For RIAs, a lot of the app processing takes place on the client device, and therefore RIAs are faster as their code is mostly executed on the local machine. This takes a significant processing load off the server.

On the server, code processing takes away from the performance and slows down websites and apps, and bandwidth is needed for accepting requests and sending responses. Pushing all of these functions to the client device would make the server itself faster and more reliable.

But there’s one problem with taking this kind of road to security.

Let’s go through this in greater detail

The chief security concern is potential hacking of the app source code during execution. Any hacker can pair up a debugging utility with a web browser’s RIA element, and conduct an almost seamless attack on the code. The code that runs at the client level is not under the purview of the developer at all, and even the teams in the organization that own the code do not have any kind of control over it.

The same debugging utilities can be used to completely alter the side-logic of the client machine. Some code statements can be skipped or executed in any order the hacker desires. Values of variables can be changed according to the hacker’s whims, limits on input can be done away with entirely, and other unpleasant commands that the hacker feels like playing around with can be done. The owners of the code are helpless in such a scenario because the code is executed on the client machine. And to reiterate, the code that’s running on the client cannot be checked by the teams who own it. They have no recourse to confirming that the code is run in the way that they originally intended it to run, or even if that same code is executed in the first place.

The importance of QA and Concluding Thoughts

On the client tier, executing business logic is something that would naturally tempt any coder because of the inherent performance advantages over the server. However, because of the security issues discussed above, doing something like hacking obviously entails enormous business risks.

Therefore, it’s imperative that every QA plan for RIAs, guarantees the absence of business logic (bank accounts, customer details, travel plans, loans, etc.) in client code, and that it consists of only presentation logic.

QA teams cannot, in this day and age, continue relying on web browsers as their only RIA testing platform. Now they pretty much have no choice but to closely inspect the nitty-gritty details of the RIA client elements to make sure that the code is entirely free of any hint of business logic. With regard to JavaScript, this process might necessitate the procurement of external script source files. For Silverlight and Flash apps, the teams would need to decompile the DLL or SWF files.

All in all, QA teams must view the source code and dissemblers as part of their domain of professional responsibility. In prior eras, QA teams really didn’t have much of the need to conduct such actions while they tested older traditional web apps, but now the presence of RIAs has greatly increased the range of the responsibilities that the organizations have to undertake. They can’t just rely on simple manual app testing via web browsers.

Gallop has a decade of expertise in enabling independent testing services, and its team is ahead of the curve in imbibing new technologies. It has developed new frameworks to deliver comprehensive and the best fit testing approaches for the clients and our QA teams are well equipped with the testing knowledge of Rich Internet Application Security.

Security Testing, Rich Internet Application, Quality Assurance

The opinions expressed in this blog are author's and don't necessarily represent Gallop's positions, strategies or opinions.

How do you uncover Hidden Risks in Web App?

How do you uncover Hidden Risks in Web App?

Businesses are becoming increasingly concerned with the problem of infiltration into their apps by unauthorized persons. Every business, small or big, uses apps to provide better service to customers. When these apps are compromised by unauthorized code, the business loses credibility. How then can you protect your business apps from being compromised? The first step is to understand how and why apps are compromised.

Why are apps vulnerable?

First and foremost, the very nature of the web code – HTML! HTML is a clear text language which is visible to anyone visiting the site. Hackers can easily modify the code and add functionalities that either act differently or obstruct existing functionality. Hackers can infiltrate code in the following ways:

  • Injection: The attacker injects malicious code into the web code. This malicious code is written to extract information from the client’s computer or device for unscrupulous use.
  • Cross Site Scripting (XSS): Here the hacker inserts a script into the code that is run at the client’s site. This script may be for extracting information or providing misinformation in order to undermine competition.
  • Identity Theft: Here the attacker assumes the identity of the user and accesses important or sensitive data. The hacker then can use this data to cause inconvenience or loss to the user.
  • Direct Object Reference: This type of risk occurs when objects such as tables within a database are directly referenced in the URL. The hacker can use this object to access related objects within the database.
  • Uuencoded or insecure cryptography: Sensitive data such as credit card information and bank details may be hacked by corrupt persons if they are stored, or travel over the internet, uuencoded or encoded in a simple and easy to break code.
  • Insufficient Layering: Applications that do not encrypt and decrypt data or authenticate users, or check certificates, may be used by hackers to gather personal data of the users.

How to avoid these risks

The above list is by no means exhaustive but does cover some major areas of vulnerability. Programmers, developers, and web designers can counter these vulnerabilities by being aware of them and including code that will look out for malicious code.

Basic Security Practices for Web Applications:

  1. Applications use data entered into forms to access databases. If this data is validated before accessing the database, injections can frequently come to light. Proper validation can also detect malicious scripts entered into the code.
  2. Coders must assume that any data entered by users is untrusted. All inputs must be validated before use. Checking for type, length, format, and range are the common ways in which inputs are validated.
  3. Identity thefts and broken authentications can be prevented by forcing a user to re-login even though he has not explicitly logged out. When a user logs in to a site an id is created. If this id is created using a predictable formula, hackers can “steal” that identity and resend it to access client information. Generating random id’s is the best way to avoid risks of identity thefts.
  4. Randomizing ids can also mitigate attacks due to direct object reference. In fact, databases should never be directly accessed by user entered data. Applications should validate and clean data before accessing databases.
  5. Most importantly, the infrastructure used to run applications including hardware, software, OS and other components must be secured.

Need help? Gallop’s Security Testing services can provide you customized test methodology that focuses on both business logic and application security, while adhering to industry standard secure coding practices. Our security assessments are performed by Certified Ethical Hackers to provide a “Hacker’s eye-view” of the application.

Security Testing, Rich Internet Application, Quality Assurance

The opinions expressed in this blog are author's and don't necessarily represent Gallop's positions, strategies or opinions.

Integrating Security into Continuous Testing

Integrating Security into Continuous Testing

All of us understand and accept the necessity to have adequate security testing for our applications. The question we will delve into here is “is it possible to automate security testing as part of an application’s continuous integration cycle? If so, what are the benefits of doing so?”

In an agile environment, it is common to have a continuous integration (CI) process in place to merge developer code into a common repository. Each code merge is then verified by an automated build process to detect code integration issues. CI makes the development process faster and drastically cuts down the time to market. But this rush does not bode well for security testing. It can leave vulnerabilities in the code undetected.

CI is a good point in the development cycle to detect security vulnerabilities in the new code as it gives the team the advantage of early detection and fixing of issues. Static code analysis tools and code evaluation tools like StyleCop can point out coding issues that can result in poor code security.

Three things to keep in mind while planning security testing

1. Decide what to look for

Security testing may cover a broad spectrum of vulnerabilities, all of which cannot be included in the continuous integration cycle. It is better to focus more on coding best practices from a security perspective and on detecting issues like authentication and authorization, data leaking, security mis-configurations, unvalidated redirects and forwards, invoking components with known vulnerabilities etc.

2. Give separate attention to security tests

Do not combine security test cases with unit or functional tests. The objective of these tests is to discover functional issues, which does not do justice to the scope and intent of security testing. Instead combining security with the continuous integration process ensures the testing is more holistic and aimed at detecting security issues alone.

3. Automate tests

Automate security tests, wherever possible, and then integrate them into the CI pipeline to ensure they are done for each and every code merge without fail. There are many tools and scanners available that will look for commonly known vulnerabilities. Most of these tools allow integration to a CI tool like Jenkins. But be sure to choose the right tool for your application.

Security testing in the cloud:

While the cloud brings in scalability and low operating costs, it also brings in concerns on security. One reason is you don’t own the infrastructure. Another is a general lack of standards and defined processes for testing in cloud, specifically in the public cloud.

With continuous security testing in the cloud, the focus could be more on threats related to authentication & authorization, fuzzing and social engineering. Your cloud based application may communicate to your data center using API calls. Security testing should focus on restricting unauthorized access to this data.

Advantages of security testing as part of the continuous integration cycle

Below are the advantages of including security testing in the continuous integration process:

  • You get immediate feedback on any security issues in your code. Fixing these issues after more functionality has piled on is complex and costly
  • Security testing is automated, hence it is faster and more accurate. And since it is performed on every new piece of code, it ensures overall security of your system
  • Security testing does not get pushed to the end where it may get compromised due to lack of time. Instead, focus is on ensuring security right from the beginning
  • Security testing is repeatable, reliable and efficient.

Secure your applications with security testing from Gallop Solutions

Gallop’s security testing adheres to international standards like OWASP and the latest testing methodologies to guarantee the security of your applications. Contact us to know more on how we can help you with your security testing.

Security Testing, Rich Internet Application, Quality Assurance

The opinions expressed in this blog are author's and don't necessarily represent Gallop's positions, strategies or opinions.

5 Ways to Build Mobile Apps that Users can Trust

5 Ways to Build Mobile Apps that Users can Trust

Mobile apps have seen a steady rise in popularity with overall app usage up by 76% in 2014. The category of apps most popular among users are shopping apps and utility apps, both of which handle sensitive user data.

An increased usage of apps increases the risk of malicious attacks. A mobile app security report found that 97 of the top 100 paid Android apps and 87 of the top 100 paid iOS apps were hacked. Among free apps, 80% of popular android apps and 75% of popular iOS apps were hacked.

An app that is easily subject to attacks cannot be expected to be popular among users! Here are a few ways you can ensure security for your app:

  1. Exercise caution while using borrowed code

In a rush to meet the requirements of intensely competitive app market, app creators are in a hurry to go to market in the shortest time possible. For this reason, many tend to use existing free code available in the web and start customizing it to reduce the hazel of building from scratch. Though there is nothing wrong in doing so, you need to be careful to ensure that there is no malicious code plugged into the code base used. Preferably, using code from a third party source one can trust reduces disasters of malicious plugins. Care should be taken to do a full review of the code before use. It also applies to any third party components your app may use in real time.

  1. Plan for security

Design your app to be as secure as possible. Critical information like login and credit card information, passwords, personal information should not reside directly on the device. And if they need to, they should be stored securely. Modern encryption algorithms can serve to secure such data.

Physically protecting the app by making it password protected, setting session time-outs and periodically erasing cached data also help to protect data stored in the device. Session time outs and passwords may be inconvenient to users and may decrease app popularity but it is very useful in protecting user information in cases where the phone gets lost or stolen.

  1. Secure communications to server

Most apps like ecommerce, banking and other utility apps link back to a server. Users may employ a variety of internet connections, secure and insecure, to use your app. Ensure the communication between the app and the server are always secure and data transmitted is not vulnerable to attacks. Make use of encryption and SSL certificates to ensure data is not intercepted during transmission.

  1. Adequate security testing

While app developers spend a lot of time performing functional testing, security testing is often ignored or saved for the last where it gets compromised due to lack of time. Subject every aspect of your app to adequate security testing to discover hidden vulnerabilities and fix them before release. Limit access to crash and debug logs as these can expose crucial information to hackers.

  1. Release regular patches

Your responsibility towards keeping your app secure does not end with the release of the app. As hackers use new ways to launch attacks, you need to release periodic security updates to ensure your app does not have any security loopholes.

Insecure mobile apps can mean loss of trust, revenue loss, and brand damage. High risk apps that collect user information or use remote servers to handle data are more susceptible to attacks and hence more attention should be given to making these apps secure.

Mobile security testing from Gallop Solutions

At Gallop, security testing forms a critical part of our mobile test strategy. Our security testing is thorough and makes use of reusable test scenarios so that your app is secure and your customers happy. Our tool agnostic test automation frameworks ensure accelerated testing so that you get higher productivity and an enviable time to market. View on-demand version of Joint Webinar on Mobile Testing with Xamarin today.

The opinions expressed in this blog are author's and don't necessarily represent Gallop's positions, strategies or opinions.

How safe is your mobile banking app?

How-safe-is-your-mobile-banking-app

Mobile banking brought about what is probably the biggest revolution in banking industry so far – the convenience of ‘banking on the go’. With the spread of smart phones, mobile banking increased in popularity, so much so that IDC expects mobile payments will exceed 1 trillion by 2017. But with this convenience of anytime anywhere banking, came a host of security concerns. A study of banking apps last year revealed almost 90% contained critical security issues.

Let us look at some of the common vulnerabilities oft-encountered in mobile banking apps:

1. Cross site scripting: This is the technique in which the app accepts a malicious piece of code as coming from a trusted website. The malicious scripts allows attackers to get away with sensitive information, including user credentials.

2. Man in the middle attacks: If apps do not validate the authenticity of SSL certificates presented to them, they stand a good chance of being susceptible to MiTM attacks. In such attacks, the attacker intercepts client-server messages and transmits them after substituting his or her own keys in the exchange, so that the two legitimate parties still appear to be talking to each other.

3. SQL Injections: In this type of vulnerability, an attacker injects SQL commands in data entry fields to trick the application into delivering user specific data or seeding malicious data. The attacker can even alter or delete data leading to severe consequences.

4. Command Injections: Vulnerable apps are made to execute arbitrary commands on the host OS. This is made possible largely due to insufficient input validation. When an application passes unsafe user supplied data like forms and cookies, an attacker may use them to execute commands using the privileges of the vulnerable app.

5. Vulnerable UIWebView implementation: An attacker may inject false HTML forms to trick users into entering their credentials and send it to a malicious site. The app is made to load the malicious site by passing the URL to the UIWebView object.

6. Information leakage: An app may inadvertently disclose sensitive data including user specific data and technical details of the application and environment. The reasons for this could be caching issues or improper storage of encrypted data including personally identifiable data and account or card related data.

7. Authentication and Authorization: The app may not adequately protect authentication information to avoid breach and replay of user login. This could be due to lack of strong encryption standards, password guidelines or feature and ACL enforcement.

8. Cross site request forgery: An attacker leverages an authenticated and active session to execute unauthorized commands. The app may be tricked into performing operations like transferring funds or changing the email id etc.

So, what can you do as a mobile banking app user?

Most of the vulnerabilities mentioned above may be beyond your control but here are a few things you can do to protect your account and your personal information:

  • Lock your phone with a PIN or password instead of a pattern
  • Install App Lock in Android phones to protect app from unauthorized use
  • Avoid storing sensitive information on your phone
  • Do not download apps from untrusted sources
  • Opt for two-factor authentications for important transactions
  • Use security software to guard against spyware, malware and other malicious attacks

And as a business, how do you secure mobile apps?

Using automated scanning tools can help to detect flaws with accuracy. Over the last few years, Gallop has built a repository of security test cases and developed capabilities using both open source and commercial security testing tools. Gallop has also established Security Testing Center of Excellence which has enabled Gallop to provide cutting edge security testing services across industry domains, operating systems and devices. Speak to us at Gallop to know more about our expertise.

For more information on securing mobile apps, view recording of Gallop’s recent webinar on ‘Mobile Application Security Testing Right before your Eyes’.

The opinions expressed in this blog are author's and don't necessarily represent Gallop's positions, strategies or opinions.

Banking Application Security and Impact of PCI DSS Compliance

Banking application security testing

Over 1 Million people across the world become victims of cyber crime daily with crimes occurring at the rate of 12 per second. Alarmed? You have every reason to be.

Since the majority of data breaches relate to debit and credit cards, the PCI DSS standards were set in 2006 to strengthen information security and keep customer data secure.

What is PCI DSS?

PCI DSS – Payment Card Industry Data Security Standard – is the set of security standards administered by PCI Security Standards Council founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. to safeguard debit and credit card data. Its scope covers data security management, security policies and procedures, network architecture and software design.

It suggests a continuing cycle of assessment (identifying vulnerabilities), remedy (fixing vulnerabilities) and reporting for all entities that store, process and transmit card data.

How does PCI DSS impact banking and banking applications?

PCI DSS has set stringent norms that banks need to follow diligently to stay compliant. Primary among them is the need to perform adequate security testing to ensure card holder data is never compromised.

  • Run controlled data breach attempts against the bank network on regular basis to ensure network, end-point and web application security
  • Perform security testing to detect well known vulnerabilities like SQL injection, OS command injection, Cross-site scripting, broken authentication etc.
  • Test for the presence of authorized and un-authorized wireless access points on a quarterly basis
  • Perform penetration testing – white box and black box – on network layer and application layer at least once a year or after a signification change has been made to the application
  • Scope of penetration testing is the card holder environment (CDE) + systems and networks connected to it (unless the bank has a segmented network in which the CDE is isolated from other systems)
  • Penetration testing should aim to identify all possible threats and vulnerabilities and try to exploit them to penetrate the system both at the application and network level
  • Issues identified should be corrected and re-tested until all chances of malicious activity are removed

Most financial organizations find it challenging to meet the rigorous testing requirements of PCI DSS. A Verizon study finds less than one-third of organizations were fully PCI compliant less than a year after validation. Failure to comply can have severe consequences in terms of loss of trust and credibility, not to mention a penalty of up to $50,000 a day. By 2018, Gartner expects more than 50% of the organizations to use third party security firms to help manage their network infrastructure.

Gallop Solutions has a rich repository of security test cases and maintains its own Network Security Test Center of Excellence. We adopt latest industry test practices to deliver cutting-edge security testing services to leading banks across the world. Contact us to know more.

Security Testing, Rich Internet Application, Quality Assurance

The opinions expressed in this blog are author's and don't necessarily represent Gallop's positions, strategies or opinions.