Don't let development pressures cut short security testing procedures, warn experts

Security vulnerabilities discovered on two financial services websites this month have raised questions over the priority...

Security vulnerabilities discovered on two financial services websites this month have raised questions over the priority organisations give to testing when they roll out or upgrade internet services.

Vulnerabilities at online bank Cahoot and Morgan Stanley's credit card website, which were remedied by the companies as soon as they were discovered, had left customers' personal data accessible on the internet.

Although the banks have stressed that no customers lost money in the incidents, a customer complaint has been made to the information commissioner alleging that Cahoot breached the Data Protection Act by failing to secure financial data adequately.

Computer Weekly has reported many examples of security vulnerabilities on e-commerce sites over the years. Many more go unreported. Security experts contacted by Computer Weekly said inadequate testing procedures were largely to blame for most of the breaches that have hit the headlines.

Maxine Holt, an analyst at Butler Group, said, "The timescales for projects can become compressed. Something is added or changed in the development process which results in more development time being needed." To catch up, time scheduled for testing can be truncated, she added.

This scenario is common in the financial services industry, said Richard Brain, a penetration testing expert at Procheck-up, which specialises in testing financial websites.

Brain said his company is often called in to check the security of financial websites weeks, or even months, after they have gone live.

"When people do roll-outs they often do not make sufficient time for security testing. Or if they do, the developers take too long. Security testing goes out of the window and we are called in afterwards to fix it," he said.

Brain has found serious security flaws in many of the websites he has tested. He said that many were vulnerable to the SQL injection hacking technique, system files were accessible on 10%, and 10% had weaknesses in their customer authentication systems.

Holt said solving these problems is more of a cultural and management issue than a technical one. Every part of the organisation, from the board room down to the marketing department, has to understand that proper security testing is more important than meeting a project deadline.

It is vital for people at the top of an organisation to realise that security must be paramount, she said.

"It is going to have to come from the top down. Rather than the IT director and chief executive pushing for a change to be put in as soon as possible.

"They have to appreciate that a late change is going to affect testing. And they have to allow extra time for that."

Treating security this way makes sound financial sense. Fixing a problem once software has gone live is more expensive than dealing with the problem at the design stage.


Morgan Stanley tightens security   

Morgan Stanley tightened the security on its credit card site after it emerged that confidential account details could be viewed by customers using a shared PC. 

The problem affected customers who used Microsoft's auto-complete tool, which remembers and fills in passwords automatically. 

"It has not been something that has been a problem for any of our card holders," the bank said. "When it came to our attention we put a block on it."


Cahoot reviews software testing     

Cahoot, the internet bank run by Abbey closed its website for 10 hours after a user reported a security flaw that left customers' bank account details exposed on the internet. 

The flaw had been introduced after Abbey carried out a planned upgrade to improve customer authentication on the site. 

Cahoot said it was reviewing its software testing procedures following the incident, which left accounts accessible using a username without a password.

Read more on IT risk management