Financial institutions have been attractive hacking targets for many years, and this attention has not diminished with the addition of cloud and mobile technology. FinTech emerged in the 21st century as an industry that uses technology to make financial services more efficient and is now valued as a $35 billion industry (2018). As information is more readily available to consumers, financial companies have only become more desirable to attackers. The stakes continue to grow as far greater losses and penalties have the ability to cause a lot of damage if security is not taken seriously.
Nowadays there are security practices put in place by industry to help financial companies remain compliant (such as the Payment Card Industry Data Security Standard, PCI DSS). I sat down with Kunal Bhattacharya to discuss what he is doing at Credit Karma to help keep the FinTech company secure. He also shared his thoughts on the critical importance of security testing for financial technology companies.
Kunal is a security expert with a talent for penetration testing, shaping bug bounty programs, and infrastructure development. With seventeen years of professional experience in software development, design, test, and engineering services, his specialties include SPLC, Security Strategy, QE management, Product development, System Administration, DBA, Production Support, Escalation Management, and Organisation Development.
Why should FinTech companies care about pen testing?
FinTech companies must take steps to keep their customers’ financial information and identities secure. Financial companies handle a lot of sensitive data that is imperative to protect. If data is not properly protected, the consequences can include a total loss of trust from customers, loss of business, and hefty legal and financial consequences. Recovering can be an extremely complex-- and potentially impossible -- challenge. This is why AppSec should be in place from the very beginning.
FinTech came about as a way to disrupt a specific financial service problem. Finance is all about trust. When it comes to cyber security, no software or system is bulletproof, but continuous efforts to keep your applications as secure as possible are vital. The paranoia in the industry and compliance regulations, do help somewhat in securing the last mile, but shouldn’t be the only motivation for doing the right thing.
As an example, FinTech companies should have a well defined pen testing program to help monitor their security and bring to light any areas that may need additional protection. Pen testing can help as a way to give an overall summary of your company’s security posture.
What is the main driver for security at a FinTech company?
As I alluded to in my response to the previous question, trust is at the core of the FinTech industry. When people are depending on you to handle their money or financial information -- whether it be related to loans, transactions, or any other financial instrument -- their greatest fear is a compromise of their financial identity. In order to ensure their customers’ data, information, and identities are protected, FinTech companies need to do more than extra due diligence. Constant monitoring and testing for security vulnerabilities is a must.
How do Red Teams, bug bounty, and external pen testing work together?
When securing an application, there are multiple defence techniques that work in tandem to make sure that an organisation is protected and risk is appropriately managed. At every phase in the development lifecycle, there is an opportunity to secure the software.
At Credit Karma, our Red Team acts as the first-line of our security testing defence. It is comprised of many highly skilled and diverse internal pen testers who hack away at our applications to keep them safe.
We also utilise external pen testing companies and consultants to ensure that we cover our bases. External pen testing companies like Cobalt.io have been able to seamlessly integrate into our security ecosystem, allowing us to catch vulnerabilities and remediate them without slowing down our developers. We also use a bug bounty program as an open channel for responsible disclosure.
How do security scanners and manual pen testing teams work together?
The fight between the good and evil is ongoing. Bad guys use every tool at their disposal to steal data and credentials, so internally we leverage these tools as well. Static scanners give us an early view of vulnerabilities at the code level which can reveal low hanging fruit to be remediated earlier in the cycle. Dynamic application scanners provide more of a black box capability for testing, however, it has its own set of limitations. Manual pen testing is a critical line of defence towards identifying and remediating vulnerabilities-- this is where the creativity and business logic come into play.
If you had to prioritise your application security spend, what would be your main focus?
Every organisation has its own unique challenges. However, in order to have a mature AppSec program in place, it’s important to initially cover the foundational base and then move up the maturity curve covering more and more ground.
At Credit Karma, we aspire to be the best and to make sure that our members’ information is protected twofold. In order to move up the curve, the first step is to shift from a reactive model to a more proactive seek-and-destroy model. We are bringing industry changing capabilities to redefine Application Security and present it to the masses.
How are you handling remediation? What processes do you have in place to speed time-to-fix?
This is a topic which is very near and dear to my heart. The first and foremost to-do is to create a security mindset amongst all the engineers in an organisation. Security awareness is key.
At Credit Karma, we have different training programs, including a security on-boarding program for new hires. More recently we have also invested in creating a Night’s Watch -- like Game of Thrones -- as an army of the Credit Karma employees to protect against attackers. We look at Security as a complete end-to-end service. As part of that, we look for issues and work with engineering to propose solutions to not just fix an issue, but also create framework-based solutions that purposefully reduce the threat surface of attackers. Having a well-defined CSP (Content Security Policy) is an example of that.
The goal is to create a bridge between application features and security frameworks that can help provide core protection as well as reduce the overall vulnerabilities found. This is done by reducing the threat surface and the weakest link- an unintended insecure practice from a rookie.
How do regulations affect your AppSec plan?
We work with our legal team to stay abreast of and comply with applicable regulations, but it is important to constantly aspire for higher levels of security. It’s important to do what is required, but at Credit Karma we set the bar higher. We practice security as a service, which requires that we stay up-to-date on the latest attacks, defence techniques, tools, etc. This stance on security shapes and defines our year-on-year security strategy and roadmap.
FinTech companies do not have to fly solo. There are plenty of services providers, companies, tools, and industry experts who can offer advice. Keeping customer information secure is a big responsibility and shouldn’t be treated lightly. Remember that trust is the foundation of FinTech companies, it’s the foundation of security, and it is something that can easily be lost and hard to regain.
Caroline Wong, VP of Security Strategy, Cobalt
Image Credit: Cobalt