How Testing can save Financial Applications from the next HACK

How Testing can save Financial Applications from the next HACK

On October 20, 2016, The Economic Times (Indian business daily) reported that ‘3.2 million debit cards may have been compromised in India’ as a result of a security breach. The breach allegedly originated in Hitachi Payment Services that enabled fraudsters to steal information and consequently funds. Startling incidents like these further establish the need for testing in the Financial/Banking sector.

Experts have also identified malware that can particularly infect the point-of-sale (PoS) machines, promising higher rate of success to the hackers. Considering the fact that more number of people tend to shop than go to the ATM. A similar retail breach was reported in 2013 in the US at the retail chain Target.

In 2013, data from up to 40 million credit and debit cards of shoppers at Target got stolen by hackers. This happened at the peak of the holiday shopping season. Financial Analysts and market research firms have used this data to decipher the levels at which the security of financial applications is compromised.

This further emphasizes the urgency to build a comprehensive Testing strategy for the financial/banking sector. Moreover, it is important to evaluate the overall strategy by considering the current day challenges and probing malware.

What does a financial software facilitate and why is it complex?

Financial software/applications are complex and are built on the lines of financial information management. The software can be executed as an independent software or can be embedded into a financial information system (IS). Generally, a financial software incorporates all aspects of personal or business finance to offer multiple features – basic financial data management, transactions, budget management, personal/corporate account management, and assets management.

Additionally, a Financial App offers Multi-tier functionality to power numerous concurrent user sessions. For instance, a bank application operates with many other applications, namely, Bill Pay utility, trading accounts and business workflows to support various transactions and interconnected activities.

It involves Batch Processing and Real-Time processing, where the transaction processor can be a large capacity mainframe or a legacy system carrying out trillions of transactions per second. Resulting in processes that make the overall financial applications complex.

Summing up, following are the characteristics that enable a robust Testing strategy:

  • Multi-layered functionality to manage concurrent user sessions
  • Large scale integration for multiple activities
  • Real Time and Batch processing
  • Higher rate of transactions per second
  • Detailed reporting to track each activity
  • Strict auditing to handle customer issues
  • Disaster Management mechanism/robust back-up plan
  • Extensive storage system

Multi-layered interactions of a Banking application may involve:

  • End users interacting with the Web Server via a browser
  • Middle tier software that authenticates the input and output for Web Server
  • Database that stores data and processes
  • Transaction Processor to conduct several transactions per second

What are the essentials to consider while testing financial/banking applications?

Security Testing

With reference to customer/user experience and secure interface, security testing ranks high. Traditionally, security testing is considered towards the end of the testing cycle. However, with new-age challenges and malware infecting the financial domain, Security testing has come to the forefront.

With millions of transactions happening every second, stability and robustness of the financial app is absolutely critical. A single security breach can lead to long-term impact on the overall sector, losing out on credibility of the overall system.

Additionally, integration with third-party applications, emerging digital commerce platforms, complex workflows, and growing nexus between Social Media and mobile platforms is making financial apps vulnerable to threats from various sources and various ways.

So, protection of financial data from malicious attacks is imperative to prevent loss of credibility and recurring financial loss. Despite rising number of security boosting products in the market, there are growing incidents of security breaches. Security testing helps make your applications robust and secure for the market challenges. It helps fight the rising and emerging vulnerabilities in the environment.

Security Testing is one of the major steps in the overall Application Testing Cycle. It ensures that the application complies with Federal and Industry standards and gets rid of web vulnerabilities that can expose critical data to a hacker or malicious attacker.

Performance Testing

What if the mobile banking application installed on your device refuses to integrate with your insurance provider, resulting in failure and delay in premium payment? Yes, this could be disappointing and inconvenient for a user.

This drives the need for performance testing applications to boost and ensure customer satisfaction. With financial services institutions constantly expanding across segments and markets, it is important to ensure that the application used by the end customer can take the load and ensure the desired outcome.

Performance Testing/Engineering can help predict, test, and handle loads during critical situations to avoid breakdowns. Further it ensures performance, scalability, resilience, and reliability of the application. Today, financial institutions are venturing in the marketplace with complex application that requires rapid application development cycles.

At the same time, it is important to ensure that the quality of the application is not compromised. Performance Testing brings all this together:

  • It helps monitor and report activities
  • Boosts productivity
  • Brings down the costs resulting from defects
  • Cuts down-time and ensures customer satisfaction

Functional Testing

Functional testing involves Application testing, System integration testing, Regression testing, and User Acceptance Testing. Banking software/applications deal with sensitive financial data and does complex calculations in the background that involve money transfers and highly sensitive data. So, it is important to execute end-to-end functional testing of the application.

What does Functional Testing of banking/financial applications entail?

  • Test cases: This involves listing down the functional requirements, where every business scenario involves a few positive and negative test cases.
  • Verification of test cases: This involves verification of the elaborated test cases in line with the business scenarios, ensuring that every business scenario is covered.
  • Executing functional tests: The tests are involved with basic knowledge of finances and accounting, where either manual or automated testing is put to work.

At Gallop, we understand that Security of your applications is critical for your business and above all how critical it is for the overall financial services sector. One of the top automobile financing firms in the US partnered with Gallop’s Security Testing services to create hack-proof applications.

The core challenge and requirement of the client was to keep the applications secure. The client reached out to Gallop for penetration testing of their flagship web application. One of the major challenges was manual execution of security tests by complying with stringent timelines and regulations.

Focusing on the client’s business objective, Gallop experts executed extensive security assessment tests for the web application to identify security loopholes and vulnerabilities. Apart from the other important aspects of Security Testing, the team implemented custom execution methodology based on the application’s technology and business logic to accelerate manual security testing.

Apart from the fact that the client’s business objective was served, it saved the brand from collateral damage and fixed some major vulnerability. A thorough Security testing strategy further instilled added confidence amongst the end users.

Gallop team has worked with acclaimed players in the sector and understands its intrinsic challenges. Our unique Managed Security Testing Services model combines the deep understanding of industry best practices and decade long expertise in software testing services delivery. We collaborate with businesses in North America to identify vulnerabilities and fix them way ahead in the application test cycle.

With the world economy going through phases of evolution, challenges faced by the banking/financial services sector are endless. Connect with Gallop experts to build a comprehensive testing strategy to make your financial applications secure and reach out to your end users with confidence.

The opinions expressed in this blog are author's and don't necessarily represent Gallop's positions, strategies or opinions.

Resilience is critical. How can Security Testing build it?

How can Security Testing build it?

What is ‘Pegasus’?

August 25, 2016 Apple rushed across to all iPhone users with a security update to prevent their handsets from getting infected by the ‘Pegasus’ spyware. ‘Pegasus’ has been considered by experts by far the ‘most sophisticated’ software created to infect and spy into smartphones. The software has been created by an Israeli company, the NSO Group to target Ahmed Mansoor, a prominent dissident in the United Arab Emirates.

This news and discovery is an absolute shocker for not just the iPhone users, but also for smartphone users around the globe and the overall cyber security world. It has raised eyebrows and questioned the secure interface available for our mobile devices.

Let’s take the larger picture into perspective.

Economies around the world are today going through phenomenal changes, resulting in chaos on the political edge. Technology is being unethically abused and exploited as a weapon in these modern day wars. Vulnerabilities in terms of technology and devices are on the rise, building up the ‘insecurity’ scare.

Is Security Testing an answer to determine and bring down the ‘vulnerability’ scare?

Yes, it could be an answer for some obvious reasons:

  • Security testing ensures that the application or software builds a secure interface. Practically, it checks the software / application for its vulnerability to external attacks, namely hacking of the system or unauthorized log in.
  • It ensures integrity of the data at hand and at the same time checks the required functionality.
  • Security testing checks and determines any information leakage with various mechanisms like encryption, firewall, applying a range of software, etc.
  • It determines and helps salvage the software / application in an event of critical attack.

Essentially, Security testing covers a gamut of security testing concerns, namely, privacy, integrity, credibility, accessibility, and authorization.

 The market for mobile applications is already booming and will see further growth in times to come. It is estimated by market forces that, by 2017 over 268 billion App downloads and $77 billion in revenue will be grossed by the App market. With 46% of applications being paid for, the monetary health of the industry seems strong.

With Apps being installed and used for a range of jobs and intentions, having a robust testing framework for Security Testing is indispensable. With reference to Application Security Testing, experts have validated that interactive testing holds more relevance for estimating an application’s security factors.

Unlike Static and Dynamic tools, Interactive Application Security Testing (IAST) operates differently. While Dynamic Application Security Testing (DAST) solutions test the application’s external factors (outside-in) to identify security issues, Static Application Security Testing (SAST) solutions test the internal factors (inside-out) by checking the source code, byte code, or binaries.

IAST makes both the ends meet and covers up for the gaps created by DAST & SAST.

IAST works with information from the application during runtime, which involves data flow, controls, libraries, and connections in order to effectively identify vulnerabilities. This is the very reason why interactive testing works successfully for ensuring application’s security.

Considering the application is tested while it runs, IAST helps figure out how any situation can be salvaged in case the application breaks down due to its possible vulnerabilities. In a way, IAST works towards determining situations of crisis and builds up resilience.

Likewise, a software security glitch can lead to security lapses across any industry and not just for the mobile devices / applications market. The intensity of Security lapses could multiply for highly sensitive sectors like defence, automobiles, and Banking.

In 2013, Nissan recalled a set of vehicles to address an issue related to air bag seat sensors. A similar recall was done even in 2014, resulting in almost 1 million vehicles getting recalled from the market. Further investigation cleared that the issue with the airbags was due to a software failure, where the sensor was unable to recognize that an adult was seated in the passenger’s seat. As a result, the airbag would not open in case of a crash. This issue just could not get resolved and got listed in the worst software bugs of 2015. The case was further investigated by the U.S. safety officials.

Such glitches create a sorry figure for globally acclaimed brands and can claim serious fall for the business. On the whole, this can lead to a massive blow for the brand’s credibility in the marketplace.

A range of robust Security testing tools combined with a comprehensive testing strategy can empower enterprises / brands to not only identify the critical glitches within the software, but also help the application / software rebound and recover crucial data.

Gallop has worked with enterprises and brands to address business-critical security challenges with their applications / software. With key focus on Network security, Mobile application security, Cloud application security, and Source code review, Gallop’s 5 step security test lifecycle helps build your application’s security.

The opinions expressed in this blog are author's and don't necessarily represent Gallop's positions, strategies or opinions.

10 Critical Activities to Test Security of Mobile Applications

10 Critical Activities to Test Security of Mobile Applications

3G and 4G network enabled smart phones are today being used more and more for accessing the Internet, for performing financial, business, and social transactions, and for media consumption. However, the safety of the data being consumed by the end user using the apps distributed via mobile application stores, poses a big security issue.

To add to this, Gartner predicts that almost 25% of organizations will launch their own apps by 2017.

While this will make creating new apps much more efficient, it may also become a reason-of-feast for the hackers as they will have more to hack into. It’s only a full-fledged security testing enabled environment that will save the apps (and the companies) from otherwise leaking a big load of personal data from the mobiles.

In short – security of the apps will be vitally business-critical.

So, what can be done about this? What really is needed?

An app testing strategy that will not only analyse the security risks involved of using an app on the smartphones – but also support in eliminating the same.

When the men-in-the-middle (MITM) attack apps that communicate sensitive information, and manipulate the same for their benefit, a secure SSL certificate validation* can mitigate the risk. However, this is easier said than done as billions of app users use risky untrusted networks, making them an easy prey to the MITMs.

All mobile apps fall in one of the following three main categories:

  • Native apps – These are written to run only on a specific platform and supported devices. For example, an iOS app runs only run on iPhone.
  • Web applications – These are built using standards like HTML5 and can be accessed by any mobile device.
  • Hybrid applications – These apps usually have a layer of native application around a Web-based user interface and provide the best of both worlds.

Gartner analysts suggest that more than 50% of deployed apps will be hybrid by 2016 – for all the obvious reasons.

Mobile Security Testing Process – An Overview

Like everything else, providing security testing for apps needs a method to overcome the madness. Here are three basic steps suggested by experts in the field that must be performed to achieve the desired objective:

  1. Intelligence Gathering (gather as much as possible information about the app)
  2. Threat Modeling (identify threats for the app – specific or prepared)
  3. Vulnerability Analysis (identify vulnerabilities in the app with the previous created test cases using Dynamic methods (Passive network monitoring and analyzing), Runtime analysis (analyzing the communicating process for internal components (Android: Intents; iOS: objc_msgSend calls), and Forensic methods (Timeline analysis)

Reference: Security Testing Guidelines for Mobile Apps by Florian Stahl & Johannes Ströher

10 critical activities to be performed to make apps secure

At a broad level, we need to test the following to ensure mobile app security: Data leakage, flow, and storage capabilities, encryption, authentication, server-side controls, and points of entry.

Ten specific activities to be performed while testing the Security of Mobile Applications are:

  1. Automated security testing of mobile applications for multiple mobile devices across multiple platforms over diverse networks
  2. Use of a cloud-based mobile Testing Lab that enables uploading locations or the actual apps themselves for testing
  3. Performance of a huge variety of automated security tests for identifying embedded spywares, viruses, Trojans, data privacy, data leakage, unsolicited network connections, etc.
  4. Dynamic analyses and testing of apps in labs providing the required environment to verify security issues such as insecure file system, insecure data transmission, unsafe data storage, privilege access violations, etc.
  5. Analyses of results for each mobile application.
  6. Assessment of automated code that helps IT teams secure mobile apps in agile-based environments.
  7. Inspection of all features of the apps in real-time in controlled environments, and comparison of the results against a plethora of known applications.
  8. Assessment of the apps using binary static analysis that expose malicious capabilities and vulnerabilities such as leakage of information.
  9. Assessment of whether or not an app has been built according to the peculiar demands of compliance in your industry, as it is vital to follow the right standards for regulations and mandates.
  10. Last – but definitely very important – keep checking and testing for the new security threats that keep surfacing ever so often.


To cover all the bases and ensure that effective testing is performed, a third-party organization with the right expertise can prove to be your best bet. At Gallop, security testing forms a critical part of our mobile test strategy. Our security testing is thorough and makes use of reusable test scenarios so that your app is secure and your customers happy. Our tool agnostic test automation frameworks ensure accelerated testing so that you get higher productivity and an enviable time to market.
* A study conducted in late 2012 established that almost 17% of the tested Android apps do not fully validate SSL certificates.


The opinions expressed in this blog are author's and don't necessarily represent Gallop's positions, strategies or opinions.

Banking Application Security and Impact of PCI DSS Compliance

Banking application security testing

Over 1 Million people across the world become victims of cyber crime daily with crimes occurring at the rate of 12 per second. Alarmed? You have every reason to be.

Since the majority of data breaches relate to debit and credit cards, the PCI DSS standards were set in 2006 to strengthen information security and keep customer data secure.

What is PCI DSS?

PCI DSS – Payment Card Industry Data Security Standard – is the set of security standards administered by PCI Security Standards Council founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. to safeguard debit and credit card data. Its scope covers data security management, security policies and procedures, network architecture and software design.

It suggests a continuing cycle of assessment (identifying vulnerabilities), remedy (fixing vulnerabilities) and reporting for all entities that store, process and transmit card data.

How does PCI DSS impact banking and banking applications?

PCI DSS has set stringent norms that banks need to follow diligently to stay compliant. Primary among them is the need to perform adequate security testing to ensure card holder data is never compromised.

  • Run controlled data breach attempts against the bank network on regular basis to ensure network, end-point and web application security
  • Perform security testing to detect well known vulnerabilities like SQL injection, OS command injection, Cross-site scripting, broken authentication etc.
  • Test for the presence of authorized and un-authorized wireless access points on a quarterly basis
  • Perform penetration testing – white box and black box – on network layer and application layer at least once a year or after a signification change has been made to the application
  • Scope of penetration testing is the card holder environment (CDE) + systems and networks connected to it (unless the bank has a segmented network in which the CDE is isolated from other systems)
  • Penetration testing should aim to identify all possible threats and vulnerabilities and try to exploit them to penetrate the system both at the application and network level
  • Issues identified should be corrected and re-tested until all chances of malicious activity are removed

Most financial organizations find it challenging to meet the rigorous testing requirements of PCI DSS. A Verizon study finds less than one-third of organizations were fully PCI compliant less than a year after validation. Failure to comply can have severe consequences in terms of loss of trust and credibility, not to mention a penalty of up to $50,000 a day. By 2018, Gartner expects more than 50% of the organizations to use third party security firms to help manage their network infrastructure.

Gallop Solutions has a rich repository of security test cases and maintains its own Network Security Test Center of Excellence. We adopt latest industry test practices to deliver cutting-edge security testing services to leading banks across the world. Contact us to know more.

Security Testing, Rich Internet Application, Quality Assurance

The opinions expressed in this blog are author's and don't necessarily represent Gallop's positions, strategies or opinions.

Securing on-premise data through data masking


Cloud computing has been growing in popularity over the years due to the several benefits it offers like higher scalability, flexibility and less infrastructure costs. At the same time, security has always been a prime concern, particularly in applications handling sensitive personal and commercial data. A study of 2200 companies reveals that 48% of respondents with on-premise datacenters suffered data attacks.

Cloud provides a highly scalable and convenient development and testing interface. So, how can companies make data available to their employees for development, testing or analysis purposes without running the risk of a data breach?

Data Masking or data obfuscation provides an efficient way of addressing security concerns with storing data in the cloud. It involves replacing sensitive data with fake but realistic data prior to moving to the cloud.

Advantages of Data masking:

  • It provides a viable solution to five types of threats – data breaches, data loss, account or service hijacking, insecure interfaces and malicious use of data by insiders
  • Masked data retains its integrity and structural format
  • Data can be shared with authorized people, including developers and testers, without fear of exposing production data
  • Significantly reduces data risks associated with increasing cloud adoption
  • Cost effective and less complicated than encryption, and mitigates insider threat

Masking techniques

Multiple data masking techniques are used to ensure the data is kept secure. Notable among them are:

  • Substitution – Substitute values with other similar values. Ex: substitute names with other names of the same gender.
  • Shuffling – Move values vertically and randomly across the column. This is useful in disassociating sensitive data relationships.
  • Blurring – Altering an existing value within a defined range.
  • Tokenization – Substituting data elements with random place holder values

What is dynamic masking?

This is the process of masking production data at the point when the data request is actually made. There are two types of dynamic masking – view based masking and proxy based masking.

View based masking maintains the production version and the masked version of the data in the same database. Users who are not approved to view production data or who trigger the security filter in any way are shown masked data. The decision to show masked or production data is made in real-time based on pre-programmed rules.

Proxy-based masking introduces a proxy layer between the user and the database. The user query passes through the proxy which substitutes the result of the query with masked values. This provides data protection without the need to alter the database.

Another recent technique is query substitution which intercepts and redirects the query to retrieve data from masked columns. Such queries are very flexible and can pick masked data from a view or file or even link to another database.

Though Cloud infrastructure has also been exposed to security threats in recent times, but organizations cannot afford to shy away from the cloud due such security threats due the benefits they offer. Data masking is one of the techniques which is making Cloud more secure. Experts expect the data masking market to grow 30-40% a year as organizations become increasingly cautious of security breaches from inside as much as from outside. Data masking provides an effective way to leverage the benefits of the cloud without compromising on security.

Enterprises face a relentless onslaught of security challenges ranging from DDoS attacks, Database compromise, unauthorized entry, breach of access control, login flaws and vulnerabilities across sessions, multiple authentications, caches etc. Want to provide greater security for your enterprise data? Download our Security Testing white paper to know more.

We are also hosting a Webinar on Mobile Application Security Testing Right before your eyes on Jan 22nd, 2015 at 11 AM EST. Register for the webinar to get deeper insights into how to do efficient security testing – Register for Security Testing Webinar here.

Security Testing, Rich Internet Application, Quality Assurance

The opinions expressed in this blog are author's and don't necessarily represent Gallop's positions, strategies or opinions.