This post is from the Arxan blog and has not been updated since the original publish date.
Vulnerability Epidemic in Financial Mobile Apps - Episode 5 [Video]
Who should take action
So looking at the results of your research and understanding them, all of these organizations probably have a CISO or someone that's responsible for security. Is-- who should be reading the results of this research? Who should be keeping themselves up at night after the things that you've found? Is it just a matter of continuing to educate the CISO, or do you collectively interested in what you think? Who should be reading this research and understanding that--
The problem is that working at different companies it's very siloed, right?
I mean, if we all, you know, as security engineers, we all remember the time when network engineers hated security engineers. Security engineers hated network engineers. They were like the redheaded stepchild, right? We wanted to close everything down and shut everything down.And network engineering wanted to make it all up and available. So we were directly at odds with each other in what our mission was.
That I think is very much stemmed to application development and program management. So we have like, for example, I used to-- so I did some work for a large biotech company. And there was-- you know, they had actually created this app that was publicly available, and it was internally-- it was internal for that biotech. It was for those employees. And we used it quite routinely for accessing certain things. There was MDM. There was like, OK, we had our own little like portal, branded portal and everything and for [INAUDIBLE].. But that app, that app that was created by that biotech was never-- like they never worked with security. They never like, hey, you know, we need to put a-- we need to do an app pen test against this app. That was never-- that concept was never thought of. And we-- I think that's going to be very systemic for multiple organizations where product development and cybersecurity are very much siloed.
And the chief information security officer at many organizations is responsible for enterprise security risk audit and compliance, where you have a completely separate group that's doing product development and management where they should be getting security awareness training. They should be getting STH training. And you know, they're probably not, at least from what I've seen from the results of this research. That is not happening.
So do you think that that from this research it should be the business owner, the head of mobile banking, the head of the GM of some business unit within a bank that should be reading this and deciding that they need to make changes?
That's a good question. So I just recently wrote an article from some research I did about how I think there's this evolution happening where it's this fundamental shift is occurring between the chief fraud officer and the chief information security officer where they those roles are becoming very much aligned. And when they're in vendor security briefings, when a vendor is pitching a product to the chief fraud officer it's becoming increasingly common where the CISO will be in that meeting. Because if you think about it, the adversary on the fraud side, whether it's called synthetic identity fraud, [INAUDIBLE] all of those things, credentials [INAUDIBLE] all of that is affected. It's the same adversary that the CISO is facing. Why would you have two completely different units, right, defending against the same adversary not talking, right?
So it's a great question. I think the answer is all of the above. I think whoever is in charge of product development and engineering needs to be just as conscious about security awareness and secure code development as the CISO, as enterprise security.
And you said something interesting before that there was an app that you had removed. So is that-- so we're one of the apps that you tested something that you had actually used before in your personal life?
Right, so I do quite a bit on, you know, quite-- I used apps quite a bit because I do it for OTC trading. I also do a lot of mobile banking with my app like why load up Chrome and go to the website when I can just pull up the app, especially with the face ID thing. That's pretty cool. So yeah, one of the apps had such critical findings that I stopped using it and switched to a different service. Now, I'm actually doing static coding analysis of apps I use.
When it deals with financial services, I did not think that the problems would be this critical and this systemic across multiple verticals of what I tested. So this makes me wonder that, you know, if this kind of information were to get more widely available to the general public, that these are the things that the general manager, the business owner, the actual person that owns the PML for that banking or payments business should be concerned about. Definitely, and we work with banks, right? At Aite Group we work a lot with the financial institutions.
And you know, fraud is a very-- and the interesting thing about fraud and information security is that the chief fraud officer in fraud, you know, you expect things are going to get through. Whereas, you know, the chief information security officer has to pretty much prevent everything.
So when we were talking about how you had removed an app that you were using and that it sounds like it's really, it's beyond the chief information security officer. Even if they were to take action, the people that are going to create change with an organization and win you back and hopefully before there's a large scale breach maintain their customer bases is really beyond the security person.
Yeah, no, so that's a good question. So I've always been a big believer in the fact that security is was more than just control. Security isn't a technology problem. Security is a people problem. And so I believe that information security should be part of a holistic management system.
I'm a big ISO 27001 girl. Like I believe that everything should be part of an ISMS. In information security management system, product development is part of those security controls. And so you see these large multi-billion dollars under asset, you know, under asset management. And it's clear from looking at the source code, looking at these apps, that they're not operating in ISMS, that it's not part of that holistic plan to check [INAUDIBLE] lifecycle.
And much to your point, it's almost like both sides, both a CISO and VP of engineering, or whomever is involved in that, are pointing fingers at each other that this is your domain, this is your domain. To win me back as a customer for me to reinstall that app, I would need to know that they remediated the vulnerabilities that I found are committing to regular application penetration testing and that their developers have all been sent to SANS security training or something to train them on how to write more secure code.
It was just atrocious. It was like let's get this out as fast as we can.