Verder naar navigatie Doorgaan naar hoofdinhoud Ga naar de voettekst

Case Study: High-Value Assurance to Financial Sector

08 maart 2023

door NCC Group

Situation

NCC Group worked with a large international financial services organization with a large portfolio of digital offerings, ranging from customer-facing banking-related applications to commercially-orientated applications and the exposure of financially related APIs to be consumed by third parties.

At a Glance

Organization: International Financial Services 

Industry: Financial Services

Challenge: Security testing at various stages of the development lifecycle

Solution: NCC Group conducted research and fully reviewed the big data environments to understand potential risks

Result: NCC Group provided recommendations and advice to resolve any issues quickly and efficiently

Challenge

Given the high value of the information on which the applications operate, the client required the integration of security testing at various points within a rapidly moving development lifecycle.

Traditional, periodic, security assessments and penetration testing were identifying security vulnerabilities at a sub-optimal part of the development process and the client was seeking greater assurance of end-to-end security throughout their development processes.

A breach in any of the applications would likely attract large regulatory fines and infringements, and reputational damage to the brand through loss of customer trust due to the sensitive financial information accessible by the applications.

Solution

Consultants from NCC Group were integrated into the development lifecycle of the applications, providing consultation to the different teams at various points. The following support was provided:

  • Review of design patterns and architectural collateral in order to identify any logic-based vulnerabilities, and to highlight any improvements to security mechanisms related to the design.
  • Assessment of the implementation, firstly to confirm that intended security was functioning as expected, followed by fuzzing of the implementation in order to identify any unexpected error conditions that could then be exploited.
  • Consultation with developers at an early stage of the development process to ensure security requirements were captured and documented.
  • Working with the development teams to ensure in-life application development activities had a greater focus on security use and abuse cases within the applications.
  • Provide security assurance and penetration testing on new and existing assets.
  • Working in line with the client’s rapid deployment model meant that cutting-edge developments of functionality could have security implications on legacy or pre-existing solutions. NCC Group consultants helped the client understand these risks, assess their feasibility and impact, and provide remedial advice to improve the security posture.

As the applications offered banking functionality, it was vital that NCC Group tailored our test cases to focus on the specific threats targeting financial institutions in real life.

For example, the possibility of fraud and scenarios in which non-technical customers could potentially allow a compromise of their account despite the security controls implemented, as well as typical vulnerabilities commonly observed within web applications such as those described within the OWASP top ten.

Due to the sensitive nature of the applications and their data, NCC Group’s attack scenarios covered broader tradecraft that also included wider threat actors such as nation-state attackers and organized criminal groups.

Additionally, due to the large amount of development work ongoing at any one time, solutions were devised to allow accurate and rapid reporting of any potential issues to the relevant stakeholders. A ticketing style system was agreed upon in which different development teams would request testing or consultation, and decisions were then made with the client regarding the priority assigned.

This was based on the potential impact of a vulnerability within the feature or functionality, and the likelihood of the functionality being targeted (such as required privileges, open sign-ups to access the feature, etc.). This supplemented the presence of NCC Group security consultants on daily scrum calls, where new functionality and release candidates were identified.

Existing assets were also continually assessed against emerging threats, novel or newly discovered attack techniques, and zero-day vulnerabilities. Due to the embedded nature of the consultants, details within public disclosure of a newly identified vulnerability could be adapted into current and future assessments against the application estates rapidly, and techniques in which to negate or monitor the applications for attempted exploitation, or potential fixes proposed.

Result

NCC Group integrated our deep cyber security expertise into the client’s development teams and processes to provide a rapid acceleration of cyber security knowledge.

As a result, the client gained greater visibility of security-related vulnerabilities and issues at an earlier stage of the development process, making remediation more effective and reducing the overall risk to the organization’s brand and clients. NCC Group worked collaboratively with the client to provide the necessary skills and expertise at the optimum point so that the client’s risk was significantly reduced.

NCC Group

NCC Group

NCC Group exists to make the world safer and more secure.

As global experts in cyber security and risk mitigation, NCC Group is trusted by over 14,000 customers worldwide to protect their most critical assets from the ever-changing threat landscape.

Get Started on Your Cyber Security Journey 

Our experts are ready to help you stay ahead in a constantly changing threat landscape. Contact us today to learn more about what NCC Group can do for your organization's unique cybersecurity needs.