Digital Banking Safeguards to Mitigate Risk (OWASP Top 10)

AppE.5.b(ii) Mobile-Enabled Web Site Risk Mitigation Financial institution management should consider several controls to mitigate risks associated with mobile-enabled Web sites, including the following:

• Provide specific training and security awareness materials for users and customers accessing the institution’s sites to teach them how to identify compromised sites.

  RESPONSE: CSI requires all Software Engineering staff to go through security training module each year. This training includes coding best practices and OWASP Top 10 Security threats.

• Require Web site developers to follow a secure development life cycle to increase the security of the Web sites designed for the financial institution.

  RESPONSE: CSI has a very strict Software Development Lifecycle (SDLC). All code changes are tracked against approved change request. The changes must go through testing by a developer, code review by a peer, and final approval from an outside quality control group. There are various procedures that must also be followed for getting change sets applied to production environments. CSI goes through both internal and external audit of this SDLC.

• Require developers to build a secure Web site especially for mobile devices and encourage them to follow the guidelines provided from the Open Web Application Security Project (OWASP) 25 Top 10 for Web application and OWASP Top 10 for mobile.

  RESPONSE: CSI uses the latest technology to test code against possible vulnerabilities. There are procedures in place where tools such as HP Fortify and Microsoft Secure Code Analyzer scans our code base and report any possible areas for improvement.

  Procedures are in place to review and correct any findings. These reports are monitored and reviewed but are not made available publicly. They are made available to internal audit and CSI Security Officer.

  CSI has the latest hardware bases Web Application Firewalls in place to monitor and alert security threats.

• Make available a baseline set of controls, and educate customers on the use of those controls to protect their device and information (e.g., device passwords with complexity, application passwords, and an auto-wipe feature after excessive password failures).

  RESPONSE: CSI Provides the functionality in our web applications that allow customers to define an appropriate risk tolerance for password complexity, wipe and disable devices.

• Determine whether mobile browsers have available safeguards implemented, such as anti-XSS modules or additional monitoring of browsers for those that are no longer supported, and deny access to devices with mobile browsers not meeting minimum standards.

  RESPONSE: CSI has varying levels of browser support.

• Determine whether mobile-enabled Web sites are designed with the following mitigating controls to help minimize the potential for exploitation of "redirect and forward" vulnerabilities:
  • Avoid using redirects and forwards
  • Explicitly hard code the URL to prevent manipulation by an attacker.
  • Apply additional validation or control checks to verify the user trying to access the URL, validate the URL, check the appropriateness of the URL request, and prevent a malicious user from redirecting site users to a phishing, malicious, or non-affiliated site.
  • Create a whitelist of trusted URLs
  • Force all redirects to go through a page that notifies a user that he or she is leaving the page and require user confirmation.
  • Perform frequent vulnerability scans.

    RESPONSE: CSI uses industry standard security hardening guides to configure web based applications.

    Notification or "bump page" to let the user know they are leaving the financial institution is available on all high risk web based applications. Vulnerability scans are conducted by our internal security teams.

70034