Financial case studies

Secura provides services aimed at diverse financial institutions and banking services for whom IT security is of great societal importance. For reasons of confidentiality, we cannot present you with a list of our clients. To offer an overview of our clients' experiences, you will find some examples of anonymised projects in the financial world below. Specific references are, of course, available on request.

How can we help you? Read more about our services and trainings geared to the individual risk areas for a range of business sectors. Do you have any questions, or are you interested in a tailor-made quotation? Then do not hesitate to contact us; no strings attached!

Pension fund

Project: Grey box security test Pension application and black box security test IT infrastructure
Target: Java (web application)

Like many organisations, this pension fund provides its members with the opportunity to view their account online. These portals are becoming more and more popular. However, in many cases the underlying applications have not been developed with 'external' use in mind. This turned out to be the case at this pension fund. The IT infrastructure was in a good state. The application was a different matter. It turned out to be possible for users to see and alter the data of other random users in several different ways. The major issues were caused by poor session management, poorly executed input validation and Cross Site Scripting. After a thorough revision of the software, Secura concluded in a repeat assessment that the initial problems had been adequately dealt with. The pension fund decided as a result of our findings to enrol its programmers in our secure programming training course, in order to better equip them to prevent serious issues in the future.

Bank

Project: Grey box security test e-banking application
T
arget: Java (client/server) decompilation

This bank has had a generic ebanking application in use for some time. This application was due to be taken into external management through an outsourcing pathway. The new managing party wanted to know whether the application was safe. After assessment, this turned out to be very far from the truth. Although the solution looked very secure on paper, serious mistakes had been made in implementation and coding. These errors become obvious, among other things, after decompliation of the Java client. For example, Secura successfully transferred money from one random account to another without authentication. The bank involved counts itself lucky that this issue came to light in a confidential environment, allowing the correct measures to be deployed in a timely fashion.

International banking organisation

Project: Crystal box security test web application with code inspection and Secure programming training
Target: Java (client/server) decompilation

This international banking organisation considers IT security a top priority and regularly provides Secura with challenging projects to uncover potential weaknesses in ostensibly very secure solutions. In this case, we were dealing with an incredibly complex and, at first sight, impenetrable solution. After decompilation of the Java client, it transpired that a number of checks were being executed client side rather than server side.

After disabling these checks and some further analysis of client/server traffic, it became possible to increase permissions and gain access to data that had not been formally authorised. Further analysis revealed that it was even possible to execute unauthorised database transactions. This security assessment was successfully executed through the technical knowledge, creativity and persistence of Secura's consultants. 'We go beyond the tools.'

Banking organisation

Project: Crystal box security test web application with code inspection and Secure programming training
Target: Web application .NET / C#

This banking organisation develops its own applications. Secura conducted an assessment of one of these applications by request. Two developers from the organisation shadowed our consultants to learn from Secura's experienced auditors. In this way, many of our tests can be integrated into an organisation's internal testing process. Additionally, the security assessment served as a case study during the in-house Secure Programming course hosted for this organisation by Secura. Involving developers in the testing of their own application provides an optimal learning experience.

@Secura 2017
Disclaimer  /  Privacy policy  /  Sitemap / Log in
Webdesign Studio HB / webdevelopment Medusa