Web application penetration testing in financial institutions
CASE STUDY |
During an Office of the Comptroller of the Currency (OCC) audit, one of RSM’s financial clients was informed of the need to test their web-based applications. Specifically, the OCC requested application penetration testing be performed on any web and mobile applications. This kind of penetration test would assess exploitable vulnerabilities—the kinds that malicious individuals look for—in the applications. Since they handle sensitive information, the security of these applications is of the utmost importance, and application penetration tests help assess this security. Furthermore, the OCC is increasingly requiring financial institutions to perform these penetration tests in order to pass the audit.
The client contacted RSM for assistance in meeting this requirement. RSM’s combination of financial industry professionals and application security specialists helped this client not only meet their OCC audit with confidence but also make their applications more secure.
RSM offers three different levels of application security assessments that correspond to the OCC’s requirement for application penetration tests. These assessments uncover vulnerabilities an attacker could exploit to achieve unauthorized access to the application. All assessments also include recommendations for remediating any identified vulnerabilities. RSM offers the following three assessment levels:
- Vulnerability scans. The application vulnerability scan is a nonauthenticated assessment, which means that the assessment tests login functionalities without credentials in order to assess the application’s security. This test uses mostly automated tools to scan a web application for vulnerabilities. It is the most automated (and thus quicker and less expensive) of the three options. This assessment gives a valuable snapshot of security gaps in both web and mobile applications.
- Penetration tests. The application penetration test is an authenticated test that uses manual review in addition to automated tools to more thoroughly identify vulnerabilities, including business logic flaws. Potential vulnerabilities such as SQL, XSS, insecure authentication and malicious file execution are exploited to test the application’s vulnerability to these attacks.
- Static analyses. The most in-depth of the three tests, RSM utilizes a service to perform static code analysis and find vulnerabilities in the application code. Next, RSM engineers verify vulnerabilities line by line and review how the specific application functions.
Knowing that the client needed these assessments completed in a relatively short time frame, RSM encouraged discussion with the OCC regulator in order to determine which of the above assessments would fully meet the requirement. Based on the client’s budget and discussions with their OCC auditor, the client was able to choose the assessments that fit the company’s needs. The client chose to have RSM perform application vulnerability scans on five different web and mobile applications. These assessments found various server side vulnerabilities, a weak password policy and other design flaws. RSM laid out tactical recommendations that would allow the client to remediate these vulnerabilities within a short time frame, leaving both the client and the OCC auditor happy.
Several banking functions are completed online or on mobile devices, meaning these web and mobile applications are handling very sensitive information. For this reason, the OCC is increasingly focusing on web and mobile application security. This increased focus is directly affecting financial institutions through the audit process, where regulators are increasingly enforcing the requirement of application penetration testing. Therefore, financial organizations should prepare themselves to have these tests performed.
In a short amount of time, the client went from potentially being issued a “Matters Requiring Attention” notice to fully meeting the OCC requirements. This experience provided valuable insight into the way a financial institution can successfully prepare for and handle an upcoming OCC audit. This engagement also signified a trend in recent audits. While application penetration testing has been on the books for a while now, the OCC is only just starting to strictly enforce this requirement, and there’s no sign that the requirement will disappear anytime soon. Organizations should plan as early as possible to have these penetration tests completed as an OCC audit approaches. As specific requirements for application penetration testing currently vary slightly from one OCC audit to the next, it’s imperative to get the auditor involved in the process early so that the organization can verify what level of penetration test is appropriate.
For this engagement, RSM provided the client with the methodologies for each of the application penetration tests before the tests were performed. The client then showed the methodologies to the OCC regulator so that the regulator could approve which type of penetration test met the audit control. In this instance, the client’s regulator said an application vulnerability scan would suffice for the time being, but that in future years, the more thorough application penetration test would be required. Getting the regulator involved early on helped speed the process along and ensured that the client was not wasting time or money.
Once the regulator confirmed which penetration test was appropriate, RSM was quickly able to schedule and perform these assessments on all of the client’s web and mobile applications. The client could then perform any tactical fixes to vulnerabilities identified during the assessments. This end result of this engagement was more secure applications and a smooth OCC audit process.