Cybrary Pro Day is here!
Ready to Start Your Career?

Penetration Testing For Banking Applications

Author's profile image

January 1, 2016

Hi All, As you all know the importance of penetration testing in banking industry. Banking applications are used for financial transactions and to secure their data is more important. Can you guys tell me how can we secure banking applications from hacking. In the world of Cyber security and hacking , A risk Assessment plan abreast with information security program is the main operation in keeping companies including banks secure from intrusion attempts.For banking Applications, you need : 1-keeping the applications updated with the latest versions from their official website 2-Backup all configurations to an external storage,SAN or NAS 3-If the applications were made by bank's programmers, a code review is required periodically Also, go through the relevant PCI DSS compliance too to preserve customer trust, ensure compliance, and benefit your organization in the long term. This is more of a combination of really good processes and controls that are validated regularly. Below is a best practice of how to setup a Secure SDLC. This may well take several years to fully implement smoothly. Setting up secure code training is a good idea, as most developers did not learn secure coding. Use OWASP or SANS lists as a baseline goal to meet. I would highly recommend OWASP ASVS document as stage 2. Design and Build Phase: • Use Cases/Abuse Cases • Complete Attack Surface Analysis • Conduct Threat Modeling • Secure Coding Standards / Secure Libraries TEST (Application Security Testing): • Use Dynamic Analysis (DAST) (HP, IBM, Veracode, WhiteHat , etc.) • Use Static Analysis (SAST) (HP, IBM, Veracode, WhiteHat , etc.) • Use Interactive Analysis (IAST) still new and not a lot of vulnerability scanners support it. • Fuzzing • Code Review – secure component life-cycle management • Pen-Test (manual internal or 3rd party) FIX: • Conduct Vulnerability Remediation • Root-cause Analysis You have re-occuring vulnerabilities and • Web Application Firewall (WAF) • Virtual Patch, RAST (This is a fairly new area, HP is leading the way. Nice to have, but requires advanced knowledge how to configure and use. GOVERN: This should be the foundation that everything above is built on. • Risk Management • Metrics/Reporting • Secure Code Training • Secure SDLC Practices • 3rd party / Open Source Inventories and Software Risk Hope this helps! Interesting! wow thanks alot i learn alot from this Thanks for sharing.
Schedule Demo
Build your Cybersecurity or IT Career
Accelerate in your role, earn new certifications, and develop cutting-edge skills using the fastest growing catalog in the industry