Don't let development pressures cut short security testing procedures, warn experts
- Posted:
- 17:10 15 Nov 2004
- Topics:
- Security Flaws & Exploits
Security vulnerabilities discovered on two financial
services websites this month have raised questions over the
priority organisations give to testing when they roll out or
upgrade internet services.
Vulnerabilities at online bank Cahoot and Morgan Stanley's credit
card website, which were remedied by the companies as soon as they
were discovered, had left customers' personal data accessible on
the internet.
Although the banks have stressed that no customers lost money in
the incidents, a customer complaint has been made to the
information commissioner alleging that Cahoot breached the Data
Protection Act by failing to secure financial data
adequately.
Computer Weekly has reported many examples of security
vulnerabilities on e-commerce sites over the years. Many more go
unreported. Security experts contacted by Computer Weekly said
inadequate testing procedures were largely to blame for most of the
breaches that have hit the headlines.
Maxine Holt, an analyst at Butler Group, said, "The timescales for
projects can become compressed. Something is added or changed in
the development process which results in more development time
being needed." To catch up, time scheduled for testing can be
truncated, she added.
This scenario is common in the financial services industry, said
Richard Brain, a penetration testing expert at Procheck-up, which
specialises in testing financial websites.
Brain said his company is often called in to check the security of
financial websites weeks, or even months, after they have gone
live.
"When people do roll-outs they often do not make sufficient time
for security testing. Or if they do, the developers take too long.
Security testing goes out of the window and we are called in
afterwards to fix it," he said.
Brain has found serious security flaws in many of the websites he
has tested. He said that many were vulnerable to the SQL injection
hacking technique, system files were accessible on 10%, and 10% had
weaknesses in their customer authentication systems.
Holt said solving these problems is more of a cultural and
management issue than a technical one. Every part of the
organisation, from the board room down to the marketing department,
has to understand that proper security testing is more important
than meeting a project deadline.
It is vital for people at the top of an organisation to realise
that security must be paramount, she said.
"It is going to have to come from the top down. Rather than the IT
director and chief executive pushing for a change to be put in as
soon as possible.
"They have to appreciate that a late change is going to affect
testing. And they have to allow extra time for that."
Treating security this way makes sound financial sense. Fixing a
problem once software has gone live is more expensive than dealing
with the problem at the design stage.
Morgan Stanley tightens security
Morgan Stanley tightened the security on its credit card site after it emerged that confidential account details could be viewed by customers using a shared PC.
The problem affected customers who used Microsoft's auto-complete tool, which remembers and fills in passwords automatically.
"It has not been something that has been a problem for any of our card holders," the bank said. "When it came to our attention we put a block on it."
Cahoot reviews software testing
Cahoot, the internet bank run by Abbey closed its website for 10 hours after a user reported a security flaw that left customers' bank account details exposed on the internet.
The flaw had been introduced after Abbey carried out a planned upgrade to improve customer authentication on the site.
Cahoot said it was reviewing its software testing procedures following the incident, which left accounts accessible using a username without a password.