Vulnerabilities in Banking-Related Web Applications Highlight Significance of Secure DevOps

An audit of source codes in certain web applications found that 85 percent contained vulnerabilities that can be exploited to target users, with finance and banking-related web applications the most susceptible. According to the research, these security flaws can let attackers gain unauthorized access to sensitive data on servers and databases, execute commands, and delete or modify files.

While the research’s sample size was small, it reveals the prevalence of vulnerabilities in web applications used in the real world. The most widespread vulnerability was cross-site scripting (XSS), which, when exploited successfully, can let hackers steal data or compromised to redirect users to malware-hosting websites. Other notable vulnerabilities include:

  • HTTP Response Splitting — a flaw related to improper sanitation of input values, which can be used as a springboard for XSS attacks and defacements, among others.
  • Arbitrary File Reading and Modification — vulnerabilities that can let hackers access or overwrite content stored in a server, such as credentials and source codes.
  • Open Redirect — a flaw related to how redirections to other websites are not validated, which can be used in phishing attacks.
  • Cross-site Request Forgery — an authentication-related flaw that, when exploited successfully, can force the vulnerable web application to perform unwanted or unauthorized requests such as transferring funds or changing personal data.

[InfoSec Guide: Mitigating web injection-based attacks]

The vulnerabilities can be used to compromise servers that host web applications that process financial transactions or are used to host sensitive data. The report also mentioned that e-commerce web applications were most exposed to denial-of-service attacks, which results in downtime in their online operations.

Finance and banking web applications were more at risk due to the complexity of processes involved in transaction management. This can include the interaction between the bank’s servers and the credentials keyed in by users in browsers; how transactions are validated, encrypted, and processed in real time (i.e., mainframes); or how the application’s functionalities are implemented across all platforms, especially mobile. In December 2017, for instance, several popular banking apps were found vulnerable to man-in-the-middle attacks that can let hackers snoop around their traffic and steal banking credentials. The security gap was found in the way encrypted communications are handled. As echoed by a report from the SANS Institute, the more complicated these processes are — or the more technologies or features are introduced — the wider their attack surfaces could be. All it takes is one unpatched vulnerability to gain a foothold in an organization’s network

[Best Practices: Mobile application security for developers]

These vulnerabilities underscore the ever-significant role of security by design, which ensures that all layers of an application’s underlying components have the resilience against cyber threats. However, managing an application’s security in an environment where they need to be agile yet scalable can be challenging, particularly when there's little collaboration between developers and information security professionals.

DevOps, both as a culture and set of tools, provides the means to bridge this gap. By identifying XSS flaws early on in the development of a banking web application, for instance, it can secure session cookies that contain a user’s credentials or payment data. Ultimately, this prevents financial losses or legal cases a bank could incur should an attacker successfully exploit the vulnerabilities.

DevOps serves as a layer that can streamline security and integrate it into an application’s seemingly disparate components. This approach is seeing increased adoption. In fact, Gartner projected that within the next year, over 70 percent of DevOps initiatives among enterprises would incorporate automated security for packages that make up the applications they use or deploy. For developers, system administrators, and information security professionals, the Open Web Application Security Project’s guidelines can serve as a good benchmark for incorporating security into their web applications, while automated tools can help remove bottlenecks between the need to innovate an application and the importance of securing it.

HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.