FINOM, an International Financial Service, Pentests Its Web Application
The pentest showed that FINOM’s web application is well-secured. ITGLOBAL.COM’s pentest report was accepted and approved by FINOM’s European partner bank.About FINOM
FINOM is an international financial company with headquarters in Amsterdam, the Netherlands. They provide digital financial services to small and medium businesses, such as invoicing, multi-banking, virtual cards, and so on.
Right now the company works with clients from Italy, France, and Germany; more countries are to come soon.
The Task
FINOM’s web portal is a single-page application with personal accounts for different users, including corporate customers. The personal account stores data of varying importance, such as banking accounts, information about their balance, payment and credit cards, payment history, etc. Using the personal account, a manager can manage all financial processes of their company. This is why the security of this particular web service component is critical.
Andrey Varikov, FINOM CIO:
“Europe has very demanding requirements for personal data security under the GDPR (General Data Protection Regulation — editor’s note). We take these requirements seriously and pay close attention to make sure personal data get processed in a secure fashion. Although FINOM is a startup, we are building our infrastructure in such a way that we can ensure a high level of IT security.”
FINOM contacted ITGLOBAL.COM to assess the security of their personal accounts with a pentest. We decided to conduct a Black Box pentest, where the auditors only have access to information from open sources. This type of pentest is based on as close to a perfect imitation of a series of cyber attacks as we can get. This helps us accurately assess how resistant the web resource is to getting hacked from the outside.
Choosing a pentester
According to Andrey Varikov, when searching for an auditor, they were looking at pentesters’ ratings in specialized foreign catalogs, the deadlines, and the service cost.
The selection process was very thorough. FINOM’s IT specialists have extensive knowledge of the banking sector, they know how banking services are secured, how pentests are conducted, and what a pentester must know and be able to do.
“We chose ITGLOBAL.COM for several reasons”, Andrey noted. “The main one is that their company has a good rating; on top of that, the quality-price ratio was also important for us.”
Preparatory work
Before our specialists began their work, FINOM granted them access to test servers with pre-filled accounts with login records, virtual personal data and banking accounts, and gave us the addresses of production servers.
However, the ITGLOBAL.COM team didn’t know the specifics of FINOM’s information security processes. In this respect, FINOM is one of the exemplary companies in the fintech market.
- The web application is secured with proven tools, like HTTPS and an SSL certificate. On top of that, all user accounts have two-factor authentication, done with SMS or push notifications.
- FINOM’s information perimeter is well protected. You can only connect to the intranet by using a VPN. Only a few developers — the most responsible workers in the QA team — have access to the deployed code. Each deployment process is thoroughly checked for complying not only with business logic, but also with security policy. None of the developers have the keys to the production server; they are stored in a separate data warehouse with limited access for administrators.
Testing process
- ITGLOBAL.COM conducted reconnaissance of FINOM’s web application using public sources;
- Determined the security level of the website where the application is hosted, and analyzed the security of the website’s configuration and settings;
- Imitated several attacks of different types to identify weaknesses and the possibility of unauthorized access to a FINOM personal account. The pentesters used manual hacking methods and specialized utilities often used by cybercriminals: Nmap, DirB, Sqlmap, Metasploit, Hydra etc.
Results
The pentest showed several non-critical vulnerabilities, which the customer immediately addressed.
Alexander Zubrikov, ITGLOBAL.COM Head of Information Security:
“FINOM’s security is quite good. We found only one moderate vulnerability: the software version number was displayed on the Nginx web server. It’s likely that this version may have an unpatched vulnerability. If the attacker knows about it, they can conduct a successful attack and maybe even gain full access to the server. But, of course, they have to be highly skilled to do this.”
As Andrey Varikov noted, FINOM’s IT specialists were flattered to know that their web service was really well-secured.
“In general, we liked how the work went,” said Andrey. “The specialists didn’t take up much of our time and did everything on their own. They knew what we wanted right away.”
ITGLOBAL.COM auditors prepared a detailed pentest report. This document was accepted and approved by FINOM’s European partner bank.
Plans for the future
FINOM and ITGLOBAL.COM have decided to continue cooperating. The next step is assessing the security of FINOM’s Android and iOS applications. This type of pentest includes analyzing the application architecture, code security check, manual testing, fuzzing, and other methods.