Tech Focus Thu 1st March, 2018
Security testing: How we tried to ‘break the bank’
Mobile security is a hot topic. So when one of our teams asked us to test the security of its banking app, we addressed the problem in a novel way – by inviting our colleagues to hack into it.
Just before Christmas, they approached me to help them test the security of the project they were working on. They were building an iOS app and supporting APIs and infrastructure for the Australian aspiring neobank, Xinja, and wanted to make sure they had identified and fixed any security issues prior to launch. The app was due to undergo an independent penetration test, and as much as possible we wanted that test to confirm that the app was secure, not tell us what we needed to fix. While the team had followed good security practices throughout the project, they wanted to go the extra mile and make sure they hadn’t missed anything.
I’m always looking out for ways to engage and excite the wider community when it comes to security, and this felt like a fantastic opportunity to do just that. We decided to host an internal hackathon – aptly named ‘Break the Bank’ – where the focus was on breaking rather than building. Hackathons are great for fostering creativity, and we liked the idea of running this kind of event to promote secure software delivery across the Equal Experts network.
We wrapped up the event in February, and I wanted to share details of how the event was run and the benefits we’ve seen come out of it.
Planning and execution
In preparing for the event, we took advantage of existing public resources to help define the vulnerability report template (thanks to HackerOne) and to rate the vulnerabilities (thanks to Bugcrowd). We then put together a scoring system to make the event as transparent as possible – after all, there were big prizes on offer!
What made the event especially exciting was the global distribution of participants, spread across five countries in four continents. The target environment was open for attack 24×7 for nine days and there was no communication between the attackers and the defenders. This helped to validate how effective the monitoring and alerting systems were at detecting an attack and responding to it.
Finally, we had to spin up a separate testing environment where we could allow more aggressive testing to take place safely – isolated from any external systems that were beyond the scope of the event. This involved some work on the infrastructure and setting up TestFlight with a build of the iOS app for the attackers to break.
When the start date arrived, we watched with anticipation to see who would try to break the bank and how successful they would be. As the event wore on, the number of participants grew, and we were really happy both with the engagement across the network and with the skill shown by the attackers. It really kept the defenders on their toes! Many who took part were completely new to security, but obviously had the right mindset for finding weaknesses – a crucial skill for any security practitioner.
At the end of the event, the reports provided the defending team with some great feedback on the product and highlighted areas where things could be tightened up – exactly what we had hoped for. All round, a great success!
The network effect
An important outcome we wanted to achieve with Break the Bank was an increased awareness of security across the EE network. Many security awareness efforts focus disproportionately on developers, but I think it’s crucial that everyone understands that they play an important part in delivering secure software. What I found particularly encouraging about the event is that one of the prize winners is a Business Analyst – which is a role not typically mentioned in the DevSecOps world. It is an important reminder that conceptualising how software might be vulnerable is often just as important as specific coding skills.
We wanted our staff and associates to have the opportunity to look at the security of a real application and do their best to break it. Many people have used the intentionally vulnerable apps (like the outstanding OWASP Juice Shop) for learning about security – but it’s completely different when you’re trying to break a real app, built by a highly skilled team with a focus on security, with no hints to help you along the way.
People are attracted to the EE network because they see the calibre of professionals they can work with as well as the positive environment we actively promote. It is through events like Break the Bank (and the many other events we run and support) that we can support our fellow colleagues in providing an excellent product to our client. The attackers gain from the experience of hacking a real app, the defenders learn how they can improve their delivery, and the client gets a better product to boot. It’s a win-win-win!
Break the Bank was a fantastic way to raise the profile of the Security Practice within Equal Experts and uncover some of the hidden talents within our network (they never cease to amaze us). Through the event we’ve met a number of people that are now very excited about security and keen to get involved more. I had the great pleasure of informing each of the winners of their prizes – and every one of them was genuinely surprised to have claimed a top spot.
I’m always interested in finding ways to promote security in a positive light; making it fun, accessible, and relevant to people in their everyday roles. I’m sure everyone walked away from the event with a new perspective on the security of their own deliveries… challenged to think about how they approach security today and what they can improve.
Credit to Xinja
We’re very grateful to our client, Xinja, for allowing us to host the event and share some of our experiences with the wider world. Xinja were very supportive of the event and that shows how they will do everything they can to ensure their customers are given the most secure mobile banking experience possible.
Like what you hear?
If you’re looking at ways to improve how you tackle the challenges of secure software delivery and would like some help, please get in touch. Or if you’re working in the security industry and think Equal Experts is as cool as it sounds (it is!), we’re always looking for talented consultants to work with.