An area that is rather uncharted in terms of its level of commitment to IT security is the domain of Core Banking Systems (CBS). Who has ever heard of products like Avaloq, Flexcube or T24? If you are not working in the finance industry the chances are not very high that you have. The terminology refers to software that enables a bank to merge information technology to suit with its core needs of banking. Credit and loan-processing, account and transaction management, interest calculations and performing payments are just a few examples for the powerful and wide ranging capabilities of these systems. CBS products incorporate many daily operations of a financial organisation therefore the protection and the security of these systems require the highest priority.
Considering the importance of CBS products not only for a single financial organisation but for the entire financial ecosystem, SEC Consult decided together with Capgemini to shed some light into the maturity of CBS products in terms of application security. The study was written, conducted and compiled over a period of nineteen months, consisting of two parts, a vendor survey and a security test for selected CBS products. Although most of the selected vendors (Avaloq, FIS (with two products), Infosys, Misys, Oracle, SunGard, TCS Financial Solutions) participated in the study, there were unfortunately some, which did not take part (Callataÿ & Wouters, Delta Informatique, SAP and Temenos). This article focuses on the security testing part of the study, illustrating CBS vendor’s pretense about their security testing approach and their findings. Additionally results of our own application security tests of selected CBS products will be depicted.
Part 1: The survey
We asked CBS vendors about their promises, commitments and relevant activities relating to the application security of their product. A detailed questionnaire was sent to all vendors and we recommended that the person responsible for IT security should answer the questions or at least conduct a quality assurance exercise of the questions and answers. The questions can be categorised in the following areas.
● Level of commitment to application security
● Management of information security
● Training for developers in application security
● Methods of secure development
● Threat modelling and security requirements
● Size and complexity of CBS product
● Security Testing & Identified Vulnerabilities
● Security Incident Response
● Standards and best practices for application security
An obvious conclusion to these findings is that a low assurance level for CBS products is clearly not sufficient, therefore some of the vendors have to step up their security testing efforts. Vendors also have to be prepared to put their claims to the test. Banks are advised to actively test the security of CBS products and include detailed security testing as an important aspect of a product evaluation process.
The collected data about security vulnerabilities identified by vendors in their CBS products varies considerably in terms of the quantity of discovered security weaknesses. Some vendors indicated that they have not encountered a single vulnerability during their security tests; others said that they have found more than 100. During our many years of performing application security tests we virtually never had an application where we did not have at least any low impact findings at the initial test. Having no findings at all is a strong indicator for the low quality of the performed application security tests. For the sake of fairness it has to be said that having hundreds or even thousands of findings does not necessarily proof a high quality security test either. Especially automated tools are notorious for producing a lot of false positives. For this reason not only the volume of found vulnerabilities has to be taken into account but also the quality of the results.
Part 2: CBS security testing
In order to validate the results of the survey we originally intended to conduct the second part of the study by performing application security tests for the vendor products we had surveyed. So we offered a free of charge application security test to be conducted by our security experts on a test system provided by the vendor. Certain vendors showed a serious interest in participating but unfortunately, after certain deliberations, all vendors declined to participate.
While developing an alternative approach to the second part of the study we managed to gain support from the financial service industry. Fortunately, three banks allowed us to have a look at their CBS systems, which were already implemented, by the banks in question. As a result at least three of the products described in part 1 have been included in the second part of the study.
All of the three CBS products were tested using a blackbox approach. For the security tests only low-privileged users were provided. For all of three CBS products severe and critical vulnerabilities had been discovered. None of the vulnerabilities had been discovered by the quality assurance process of the vendors. The following types of vulnerabilities and the resulting technical impact have been discovered during the application security tests:
- Cross Site Scripting (XSS) – Stealing the identity and spy a CBS user
- Privilege Escalation – Become a more powerful CBS user
- Weak encryption – Stealing the password of a CBS user
- SQL Injection – Direct access to the database
- Direct OS Command Execution – Remote control of the server of the CBS
All of the found vulnerabilities were fully exploitable and proof of concepts including videos were created for each of them. In order to protect the participating banks as well as other customers we will not disclose any details regarding the vulnerabilities, the tested products and the participating banks.
During a decade of working in the IT security industry we have seen it so many times in the past with our clients and also software vendors we are working with – security does not happen overnight. It is a process and for those software vendors who did not have security in mind at the time they designed the software or during the software development phase they usually start at the bottom and the bottom means no or very low security. CBS products are found usually in a bank’s internal network, but as these systems incorporate more and more functionality and serve as backend systems for Internet facing systems the attack surface is definitely growing. The results of our study have shown that at least some CBS vendors have to significantly improve the application security of their products. Further owners of CBS products are strongly advised to actively validate their products and to incorporate security requirements in any future procurement process.