The security issue that killed a financial product launch

A presentation at Agile Testing Days 2018 in in Potsdam, Germany by nicola sedgwick

crowd

crowd

crowd - bounty.

crowd - bounty.

crowd - reward

crowd - reward

crowd - professionals

crowd - professionals

story

story

story - ethics

story - ethics

story - vulnerable

story - vulnerable

challenge

challenge

challenge - shopping

challenge - shopping

challenge - practicalities

challenge - practicalities

challenge - reputation

challenge - reputation

challenge - competition

challenge - competition

situation

situation

situation - owasp

situation - owasp

situation - tools

situation - tools

situation - understanding

situation - understanding

analysis

analysis

analysis - protested

analysis - protested

analysis - impenetrable

analysis - impenetrable

analysis - landscape

analysis - landscape

analysis - maze

analysis - maze

analysis - sense

analysis - sense

hacking

hacking

hacking - vulnerability

hacking - vulnerability

hacking - system

hacking - system

hacking - transmission

hacking - transmission

hacking - breach

hacking - breach

disbelief

disbelief

disbelief - halt

disbelief - halt

disbelief - denied

disbelief - denied

disbelief - perhaps

disbelief - perhaps

repetition

repetition

repetition - footsteps

repetition - footsteps

repetition - payments

repetition - payments

advice

advice

advice - trouble

advice - trouble

advice - gifts

advice - gifts

realisation

realisation

realisation - broken

realisation - broken

outcome

outcome

outcome - bounty

outcome - bounty

summary

summary

takeaways

takeaways

That was missed by the professional penetration testers and security 'experts'.

Security issues can be identified using the stock-and-trade critical thinking skills of a tester.

Some time ago I had the pleasure of taking part in a security bug hunt for a new financial product. This was a product ready to go to market, a product that had passed all penetration tests and was now being handed to a crowd of external testers for a final attempt to 'hack' the product.

Against all their confidence I was able to 'hack' that product and use funds to which I should not have had access. However, once I reported the vulnerability, I wasn't believed and I was asked to repeat the 'hack' multiple times until the 'experts' believed I was achieving what I was reporting - they simply couldn't believe that their penetration test result was wrong.

Like many security talks I will tell you all about the tool I used to perform this 'hack'; Unlike many security talks this is not a tool you can install, rent or puchase - because it's my brain, but your brain is capable of doing the same.

Key Learnings

  1. You already have the skills to find security problems
  2. Critical thinking skills are perfect for locating security problems
  3. Engage security assessment as part of architecture planning, not just at the end of the release

Resources

The following resources were mentioned during the presentation or are useful additional information.

Buzz and feedback

Here’s what was said about this presentation on social media.