The client we refer to in this 'success story' is one of India's leading public sector banks. The bank recently launched a centralized banking solution through which their branches and automatic teller machines, spread across the country, are networked.
We were assigned to do the internal security audit of the organization's core banking and Internet banking architecture in accordance with criteria laid down by regulators at the Reserve Bank of India. In addition to auditing the resources at the bank, we were also asked to do a functionality and security audit of the client's core banking application. The assignment provided us with an opportunity to take a close look at a leading banking application used by huge banks worldwide.
Scope of work
Our application security audit covered the following areas:
Auditing of security controls in the CBS and retail products
Audit of SDLC, involving lots of customization, which takes place at the bank (process audit). The key parameters to be checked for were:
Is the 'software requirement specification' available? Is it version-controlled? Test plan / test strategy Sufficiency of test cases Regression test plan Release management
Application administrative practices
How servers are updated User manuals review Sufficiency of user-training materials Application installation procedures
Validation of the application's security controls against the corporate security policy procedure.
Team selection
The team members were selected on the following basis:
Exposure to SDLC models and practices Prior application security expertise Software testing experience Process audit experience
The procedure
Our first step was to develop a questionnaire relating to a lot of core-area subjects. The questionnaire was based on the application architecture study done by the audit team. Using the questionnaire, multiple rounds of discussions were conducted with various administrators and application owners. One of the major objectives of a discussion of this sort is to perform an architecture analysis.
Next came the document review. The audit team reviewed all the documents pertaining to the functionality and the architecture of the application. Unfortunately, in the case of custom applications, no standard exists, which meant that our team had to come up with a best-practices document. Once the best practices document was ready, a validation of the application documents (with respect to the best-practices document) was done. A sufficiency test was conducted on the documents to validate whether the requirements specified during the design phase had been met
Then came the real test: a black-box examination under certain conditions to see how secure interface was also conducted to check whether the application was susceptible to any known web vulnerabilities.
Our value to our customer
A best-practices document to safeguard the application in that specific environment. A report with list of weakness in the software. Details of inadequacy of process and procedures. Recommendations to patch up the discovered vulnerabilities.
Our future prospects with the customer
Some of the areas where we can value add to the customer in the future would be:
Process development for SDLC, etc Future audits Application service provider giving testing of the application to us
Is the 'software requirement specification' available?
