Application Security Assessment For A Global Financial Services Company

Torrid partners with Armorize Technologies
February 9, 2009
How to strategize growth by adopting open source model
March 16, 2009

The customer is a global financial services company, headquartered in New York City is best known for its credit card, charge card, and traveler’s cheque businesses. Following an era of international expansion, the company became an entity. It is one of the global payments company today.

Their global delivery model revolves around developing a sustainable competitive advantage for their clients through a centralized repository of client’s web based database management system which involves migration of various profiles from all the major Global Distribution System (GDS), Online Booking Tools (OBT) and other external systems.

The Challenge

Their model allows third party application to access data via a published interface. The application is capable of sending desired data to GDS (Global Distribution System) using Window services.  Application supports both types of database SQL Server as well as Oracle. The migration of data is a very critical process, as some modules are integrated by third party and various parts of application undergo routine revisions. The customer was concerned about the protection of the web based application along with the two tier thick client application, and about protecting its critical database repository against critical vulnerabilities and corresponding risks.

The Solution

The customer planned to get Information Security Services from Torrid Networks Pvt Ltd which included a thorough application security assessment. Steps that are carried out for the in-depth analysis of application and performing security assessment:

  1. Interaction with the development team is done to understand business requirements for the application, target customers, confidential assets and data flow of the application.

  2. Objectives are defined to perform a through security assessment of web based application and thick client application.

  3. Performed a web application audit and assess their application from an attacker’s perspective.

  4. Our team executes various attacks against the application using commercial, open source and custom tools to determine underlying vulnerabilities in the application.
  5. Manual verification and risk analysis of the findings.
  6. Manual assessment of components not covered by the automated scanner, as well as any complex attack scenarios.
  7. Ensuring that all the roles and privilege levels were not escalated.
  8. Ensuring the proper use of cryptography for data at rest and in transit.
  9. Comprehensive logging and auditability of user actions.
  10. Validating user input for malicious data that could result in loss of integrity or confidentiality of data.
  11. Methodology for security assessment includes, but not limited to, all the checks for the security issues identified by OWASP TOP 10 list and critical major vulnerabilities in thick client applications including unvalidated input, weak authentication method, sensitive data in memory, critical data in files & registry and impersonating a high privilege user.
  12. Finally a multi-faced, multi pronged report having step by step tutorial on security best practices is handed over to them taken much care of the audience which are generally development team and managers.

The Result

The assessment revealed numerous holes in the application’s security controls. We highlighted significant risk and steps to mitigate those risks which helped the development team to address remediation, which enabled protection for high volume of users, multiple web based, thick client applications and databases and resulting in highly secured application.Torrid and this financial services organization remain trusted solution partners in the delivery of annual information security assessments.