A recent security flaw in a financial technology application was discovered by a security researcher. The flaw illustrates a significant benefit of using the OWAS ASVS over the OWASP Top 10 list when verifying an application’s information security.
Here’s Why Not to Take Chances with Application Security Testing
According to KrebsonSecurity.com, technology service provider Fiserv, Inc. was just alerted to a significant vulnerability in its web banking platform. The flaw “…exposed personal and financial details of countless customers across hundreds of bank websites.” Most of the institutions impacted were small banks and credit unions.
A security researcher doing his own banking found that one quick edit to an HTML page request enabled him to view and edit alerts set up by other bank customers, as well as see their email addresses, phone numbers and the last four digits of their bank account numbers. Hackers could use this capability to view transaction and alert activity, and add or delete the phone numbers and/or email addresses used to receive alerts.
OWASP Top 10 vs. OWASP ASVS
The Fiserv application was vulnerable to an Insecure Direct Object Reference attack, which resulted in insecure “information disclosure.” This type of vulnerability was ranked #4 in the 2013 version of the well-known OWASP Top 10 vulnerability list but has dropped off the latest version.
Thus, application security testers working with the OWASP Top 10 could easily miss this type of vulnerability, which according to Krebs is “…among the most common types of security issues with websites,” as well as “…perhaps the most preventable and easily fixed.”
Pivot Point Security uses the newer and more comprehensive OWASP Application Security Verification Standard (ASVS) across its application security testing practice. The ASVS addresses this vulnerability even for applications with the lowest security risk profile (ASVS Level 1).
The ASVS offers several advantages over the OWASP Top 10 and other traditional application testing frameworks:
- It’s far more comprehensive because it focuses on holistically analyzing the application, not just searching for specific flaws.
- It factors in the application’s risk profile.
- It focuses on proactively preventing the introduction of defects into the code, versus identifying vulnerabilities that already exist.
Using the ASVS offers our clients a more complete security assessment, better prioritization of security efforts, and easier planning for development teams.
Contact us to find out more about how our OWASP ASVS based application testing services can help your company develop, test, verify and/or procure applications that are both secure and compliant.