Big news! The community will be moving to a new platform April 21. Read more.
Big news! The community will be moving to a new platform April 21. Read more.

AppSec in the Post-Covid Environment in the Financial and Healthcare Industries

Micro Focus Expert
Micro Focus Expert
6 0 1,842

Key challenges we see during these times

With an increase in the world going remote, customers have changed the way they manage financials, buy cars, shop online, dine out, hail a taxi, and even receive healthcare. Now, more and more, all of these things can be accomplished via an app.

AppSec in the Post-Covid Environment in the Financial and Healthcare Industries.pngWith this change comes a lot of innovation and with that innovation comes a lot of responsibility. For Product Managers, Developers and Application Security Engineers, now is the time to be more responsible while developing solutions, testing them and deploying them into production.

Here are the questions engineering teams should focus on answering while building their apps:

  • Is my application secure enough? (Broad question, but how would you answer this as a developer, product owner, or security engineer?)
  • What are the vulnerabilities, and do I know them?
  • How is the data in my application being accessed? Is user information secure?
  • Are there any ways that my app data could end up being compromised?
  • Is my application’s authentication under control?
  • How is my data transmitted to the end user?
  • How does my application’s user access control work?
  • Can someone inject scripts into my application to make it work like it’s not supposed to?
  • How is the application being monitored for issues?

If you are a critical part of application development, testing, or delivery and you don’t know the answers to some of the above questions, it’s something to think about.

How to move towards an end state called Application Resiliency:

There are different ways to achieve freedom in application security. Although there are common challenges, every industry and application type differ on what it means to achieve freedom.

Let's look at a couple of the top industries and customer facing apps that we deal with on a regular basis.

Financial Industry:

Let’s assume you are a developer of a customer-facing app in the banking and financial domain. Let’s also assume your app has millions of users and you want to make a new application release. This means a lot for you as a developer, and more importantly, you need to meet your deadlines to commit your code and get it reviewed and approved for deployment by your leadership team. While we all love to think that’s not enough of a responsibility, in financial industries, especially banks, stock trading platforms, and 401k providers, you’re dealing with tons of e-money and sensitive customer data, which could be used for malicious purposes. As a developer in the financial industry, you have a moral obligation to your customers trusting you with their information.

Here are a few things you should take into consideration and be aware of as a Financial industry developer:

  • Compliance-This is probably the top of list for anyone in the Financial industry
    1. The key question to ask as a developer: Is my code regulation compliant?
    2. Is it the developer’s responsibility to know the various industry regulations and their implications?
  • Sensitive Information-Is my code exposing any sensitive information?
    1. Do you identify/classify application data categories on sensitivity and criticality?
    2. Do your development teams have the crucial understanding of which information customer information is critical?
    3. When you integrated with third-party solutions to pull or push information, are you aware that intentional or unintentional data access and loss could occur?
  • API Security-Are my third-party APIs exposing sensitive information?
    1. When connecting to other third-party solutions, are your teams taking in consideration the risks associated with it? Are you testing those adequately?
    2. Do you know how the information you expose via APIs sits on the third-party database?
  • Mobile Security-How are your mobile apps storing information?
    1. If you work for a bank’s customer facing mobile app team, how do you store the transaction information?
    2. Are there temporary data storage mechanisms that you use?
    3. How are the mobile applications communicating to your servers and/or third-party solutions?
  • Business Logic- How strong is your business logic?
    1. When building your apps, are your applications meeting standards like the OWASP TOP 10?
    2. Do you know well before production that your applications are secure?
    3. Do you know that your production applications are secure in a dynamic mode?
  • Multiple teams and Challenges- How are the different tools across your organization communicating?
    1. With different teams responsible for different code commits, how do your teams communicate? Do you do any kind of integration testing?
    2. Is there an organization-wide, integrated approach to adequately protect your applications from being vulnerable?

If your answers to the above questions are not convincing even to yourself, you need to find a financial advisor, an advisor that can help you with protecting your customer-facing banking application. At Micro Focus, we have seen a lot of similar challenges that customers face and we can represent in live demos some of the common challenges in the financial industry. Fortify’s application scanning solutions can help you protect your applications, pre, during and post deployment. With the ability to do both Static (SAST) and Dynamic (DAST) testing as well as mobile AppSec tests, we let you focus on building great apps for your customers.

Healthcare Industry:

Let’s assume you are a developer of a customer-facing app in the Healthcare domain. Let’s also assume your app has thousands of healthcare patients and doctors using it every day. Now, as a developer, your responsibility gets even bigger. You need to develop, test, and deploy code to ensure your app is bug free since your patients are dependent on it as well as doctors. Ensuring that patient data is secure is a critical function as a software developer, as is ensuring there are no places in the application code where sensitive data is easily exposed.

Here are a few things you should take into consideration and be aware as a healthcare industry developer:

  • Standards in healthcare-Understanding healthcare standards is critical
    1. The key question to ask as a developer: Is my code in accordance with industry standards like HIPAA and GDPR?
    2. Is it the developer’s responsibility to know the various industry regulations and their implications?
  • Code exposure-Is my code exposing any sensitive information?
    1. Do you identify/classify application data categories on sensitivity and criticality? Do your development teams have the crucial understanding of which information customer information is critical?
    2. When you integrated with third-party solutions to pull or push information, are you aware of the intentional or unintentional data access and loss could occur?
  • API Integrations-Are my third-party APIs exposing sensitive information?
    1. When connecting to other third-party solutions, are your teams taking in consideration the risks associated with it? Are you testing those adequately? Are they aware of healthcare integration standards like HL7, FHIR, DICOM etc?
    2. Do you know how the information you expose via APIs sit on the third-party database?
  • Healthcare mobile app security-How are your mobile apps storing information?
    1. If you work for a healthcare firm’s app, how do you store the transaction information?
    2. How are the mobile applications communicating to your servers and/or third-party solutions? Is patient data being stored in the app itself or the mobile device?
  • Tools and process-How strong is your business logic?
    1. When building your apps or buying custom solutions from healthcare vendors, do you know if your applications are meeting standards like the OWASP TOP 10?
    2. How secure are the third-party solutions that you configure and use within your organization?
    3. Do you know that your production applications are secure in a dynamic mode?
  • Multiple teams and Challenges-How are the different tools across your organization communicating?
    1. With different teams responsible for different code commits, how do your teams communicate? Do you do any kind of integration testing?
    2. Is there an organization-wide, integrated approach to adequately protect your applications from being vulnerable?

If your answers to the above questions give you a headache, you ironically need to find a doctor, a doctor that can help you with protecting your customer-facing healthcare application. Team fortify has seen a lot of similar challenges that customers in the healthcare industry face and can represent in live demos some of the common challenges. Did you know that the healthcare industry is every hacker’s favorite vertical? Let Fortify help protect your applications, pre, during and post deployment. We have the ability to do SAST with our Fortify Static Code Analyzer (SCA), DAST with our Fortify WebInspect, and mobile AppSec tests. This way we let you focus on what developers do best, which is getting new and innovative features to the market faster.

This blog was written by Gokul Sridharan, presales manager for Fortify.

 

More information:

Join our Fortify Community. Have technical questions about Application Security products? Visit the Fortify discussion forum.  Keep up with the latest Tips & Info about Application Security. We’d love to hear your thoughts on this blog. Log in or register to comment below.

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.