Description

Vulnerabilities related to the design, implementation or configuration of IT systems for financial institutions can result in economic losses and damages to a company’s image.

During each stage of an application’s lifecycle, it is possible to take action to prevent, correct, mitigate or fix vulnerabilities and weaknesses which have been exploited or could potentially be exploited.

New applications can be analyzed starting during the design stage in order to protect their features. Systems still in development can be analyzed in order to identify vulnerabilities in their source code or in how they behave in a testing environment. Applications already in production can be subjected to Ethical Hacking, and the source code and configuration must be addressed for applications with identified vulnerabilities.

The most widely known activity in IT security is Ethical Hacking, which consists of detecting and evaluating the impact existing vulnerabilities can potentially have if they are exploited by attackers. However, if only this task is carried out, the approach can be both ineffective and inefficient.A proactive and distributed approach in all the application development lifecycle ensures less risks (eliminating vulnerabilities long before production), mitigates the possibility of the application being rejected due to critical vulnerabilities, avoids unnecessary reworking, and introduces security skills within the project team itself.

Applications are developed by people, so it is important to provide them with both the tools and the necessary knowledge to identify whether or not they could be introducing a security risk during the application’s development. Without this knowledge (which is not usually touched upon in technical and university degrees for technology), developers are faced with challenges for which they do not have any tools.

At GeneXus Consulting, a model company for the use of the GeneXus technology, we have researched and developed methodologies and tools to train, design, implement and mitigate vulnerabilities and risks in applications developed with GeneXus and other technologies (Java, .NET, JavaScript, etc.).

We have extensive experience in IT security and GeneXus development, which allows us to offer excellent services for the GeneXus ecosystem. At the same time, we also have deep knowledge regarding Bantotal and core banking integrations, which allows us to offer security services effectively and efficiently.

We have proven experience specific to clients in the financial area, both at a national and an international level, with security projects (vulnerability analysis, security mentoring and consulting, Ethical Hacking projects), as well as with Security training for our client’s technical team and guidance when implementing proactive actions during the development lifecycles.

Our Security services for the financial industry include:

1. Ethical Hacking

The objective of Ethical Hacking is to identify exploitable vulnerabilities which can compromise the availability, integrity, or confidentiality of an organization’s information.

The service consists of identifying, validating, exploiting and using the detected vulnerabilities to determine the potential impact they can have for the organization.

The information assets subject to Ethical Hacking are agreed upon in each individual case; they can include a subnet, an IP, a web or mobile application, or the organization as a whole. As a deliverable for this task, a report is created with details regarding findings (vulnerabilities), evidence of their existence, and solution alternatives.

2. Application Security Diagnostics

For existing applications, it is possible to detect the main system vulnerabilities and propose improvement action plans with an analysis of both the GeneXus knowledge base (KB) and the running system.

The real diagnosis is carried out using proprietary tools and is led by a team of security experts.

3. Secure Development Lifecycle

We offer security systems applied to each stage of an application’s development lifecycle: requirements, architecture and design, development, testing, and applications in production.

Such a proactive approach makes it possible to achieve better security levels in applications and, therefore, to reduce risks and possible cyber attacks on production systems.

4. Security Training with GeneXus

The aim of this course is to raise awareness, and train users in the development of GeneXus solutions, about the importance of security and detection, validation and mitigation techniques for potential risks in existing Web and SD applications. In addition, participants are guided through the implementation of the acquired concepts because the course has a theoretical-practical approach and, therefore, if possible, the work is done based on real cases.

The focus is primarily on people who work with GeneXus, from analysts, developers and testers, to project managers who want to delve deeper into the main existing security risks.

As a reference and guide for the course, the latest version of the OWASP Top 10 ranking is used, where the most common current application risks are included.

5. Remediation Services

Once a vulnerability has been identified during an Ethical Hacking activity or stemming from an actual attack, we have the capacity of implementing the required changes to remove or mitigate the vulnerability efficiently and effectively.