By Richard Mort, New Business Director, Edge Testing Solutions
British banks are being hit by IT and security failures that prevent customers from making payments at an average rate of more than one a day, according to new research.
In total, 302 reports were made between 1 April 2018 and the end of the year, Which? Money found by analysing the latest reports from 30 banks and building societies. Among the results, Barclays reported the most major incidents (41), a rate of more than one per week in the last nine months of 2018. It was followed by Lloyds Bank (37), Halifax/Bank of Scotland (31), NatWest (26), RBS (21) and Ulster Bank (18). TSB, where the unsuccessful introduction of a new IT system last year caused 1.9 million people to lose access to online banking services, reported 16 incidents.
The findings make clear that UK banks are struggling to keep pace with consumer technology expectations, and suffering an increasing number of bugs and system glitches as a result.
There are three primary sources for the introduction of bugs into code. Understanding these is important to understanding where bugs might lurk, and why software and application testing is the key link in locating them.
The first source is the increasing focus on a shorter time to market. Business leaders pressure coders to deliver more, and to do so faster, often without full access to the latest testing tools or respecting quality gate criteria. The result can be anything from simple but deadly cross-site scripting, code injection and stack overflow bugs, or process weaknesses. The latter can be particularly insidious, allowing hackers to manipulate processes to gain access, rather than directly hack the code. A wider issue here is that software development teams are usually tasked with delivering functionality, not security, pushing security testing to the back of the queue.
The second source of bugs is the increasing use of open source and third-party code. Partly driven by the first point above, and partly due to practical considerations, code library use is on the rise. In 2018, Synopsis reported that of 1,100 commercial code-bases analysed, 78% included at least one open source vulnerability. A total of 4,800 open source vulnerabilities were reported in 2017.
The third is a failure of due diligence in mergers and acquisitions, where new technology and digital assets are acquired, but not fully tested and assessed before being integrated by the new entity. The result is at best an overly complex architecture, which provides a much larger attack surface for hackers and, at worst, directly introduces serious security flaws.
Devil is in the detail
Unfortunately, ensuring the quality of banking and/or m-payment apps can be hugely labour intensive. In the case of m-payment apps, for example, we know from our Device Lab that clients potentially need more than 2,000 test cases to ensure that the app works as expected. The tests need to be executed on multiple versions of iOS and Android devices and executed within a regression test pack every time the software is updated to ensure that new updates do not break existing functionality.
The sheer volume of testing needed to ensure a high-quality app can be daunting. Even streamlining techniques such as only conducting lower risk tests once on one version of each device can only do so much to reduce the workload. However, with powerful testing tools, the repetitive and time-consuming aspects of testing can be handled automatically, increasing speed and test efficiency, reducing the likelihood of mistakes and ultimately saving money.
Automation is not without its challenges: smartphone manufacturers (particularly Apple) impose restrictions upon their devices that can limit the effectiveness of test automation. In addition, for international projects, devices should ideally be tested in-country on the real mobile networks that end customers are likely to use. These issues can be overcome, but require case-by-case evaluation. Successfully implementing automation can reduce testing effort dramatically – in the case of m-payments mentioned earlier, the saving can be high compared to manual testing, which is a significant benefit in the m-payment race.
Safe and secure development
Security is a major challenge for banking systems and the use of third-party software adds an extra – and possibly unexpected – dimension of risk.
To deliver a mobile or online banking system, developers need to write software that uses many different technologies and works on very different hardware devices. To simplify this task developers often make use of open source or third-party software libraries to carry out common functions.
Irrespective of whether third-party libraries are used, robust security testing is essential, but the common practice of only conducting security tests at the end of a project can be highly risky. When weaknesses are discovered, the bank is often left facing a choice between delaying a release to solve the issues or going live with software that has known vulnerabilities. A better approach is to build in secure coding and security testing throughout the development stage. As a result, potential defects are detected and fixed during the project, rather than at the end, saving both development time and accelerating speed to market.
Winning the race through a Digital Test Hub
Traditional testing and Quality Assurance methods are of limited value when developing online banking or mobile payments apps. The race to get ahead of the competition effectively mandates the use of dynamic, agile software development methods. But developing the software rapidly is not enough, the quality assurance must keep pace with development and this can only be achieved through more efficient software quality methods.
An effective quality strategy takes into consideration: legacy IT infrastructure; back and front office requirements; the interdependency of the cloud computing and mobility.
As banks adopt new ways of meeting customer demands, quality management is also increasingly embracing an integrated approach. By centralising testing services for applications and application development, banks can benefit from Digital Test Hubs offering a core competency of testing, coupled with flexibility to support complex systems that are constantly evolving.
A Digital Test Hub (or Testing Centre of Excellence) avoids the problems of silo based testers strewn across the organisation who are in danger of large-scale duplication of testing activity. Bringing quality into a Digital Test Hub means that wider integration issues and associated risks are more readily identified, as the team involved in performing functional, regression, automated or performance testing holds a good contextual understanding of the specific operating environment.
SecOps and Security-by-Design
Security by design is an increasing requirement for regulatory compliance. This can be achieved by evolving system development first into DevOps, and then on into DevSecOps (more frequently now simply known as SecOps).
While the evolution of DevOps into SecOps is a positive trend for security by design, many organisations are struggling to implement it effectively. It involves including security testing in the process of application development. Gartner predicts 80% of development teams will be using a SecOps workflow by 2021; so new solutions will need to emerge to facilitate this.
The difficulty is in establishing and especially maintaining the correct SecOps process. However, with the consultancy aspect of third-party testing firms together with their versatile testing platforms assisting the transition, organisations will start to see a more secure workflow emerge and security testing will become a vital aspect of security by design.
Vulnerability Scanning and Penetration Testing
Hackers’ success rests in their ability to stay one step ahead of security. Although the increase in state-sponsored hacking and the increased accessibility of resources for malicious agents can give them an edge, not everything is to their advantage. Resources like the OWASP Top 10 and the NIST NVD make it easier than ever to scan for known vulnerabilities, enabling security testers to focus their attention on identifying and protecting against emerging threats.
With the increasing resources available to threat actors, proactive vulnerability testing and penetration testing is likely to become the make-or-break factor. And it is, of course, a compliance requirement for an increasing number of regulations.
Compliance testing may well see the biggest changes over 2019, in large part thanks to the EU’s GDPR. The new data regulations are expansive and complex, providing organisations and testers new challenges, many of which do not yet have an established solution. With the GDPR regulations only being implemented last year, precedents and standards for their interpretation in the real world are still being set. However, standards and frameworks are emerging in some countries such as the Netherlands which enable compliance testing.
Lingering uncertainties over the GDPR on national and international levels will reduce over time, but it’s important for testers to stay as up to date on the regulations as possible. This will also apply to the growing number of worldwide privacy and disclosure laws coming into effect – such as the California Consumer Protection Act (CCPA). Other prescriptive regulations, such as PCI, can be more easily tested.
User Awareness Testing
An organisation’s own staff members have been considered amongst the biggest security risks of all for over a decade now. It was a known issue in 2007, and a 2017 survey of security professionals still placed employees as the second biggest threat to critical infrastructure.
Training for threat awareness is a necessary part of organisational security, or this long-standing trend cannot change. Forward-thinking testers such as Edge Testing make provisions for this, incorporating awareness training and e-learning modules to help proactively detect security threats and even gamification to keep users engaged.
A view of the future
With GDPR changing the compliance landscape and accelerating digital transformation changing the development landscape, 2019 is set to be an interesting year. Perhaps the biggest upcoming change is the expansion of scope in testing requirements. Source code verification and vulnerability testing, while still crucial, are becoming just two pieces of a larger puzzle.
The best software testing solution will inevitably be a holistic one, from a vendor that can provide all aspects of software testing, so nothing is missed. Specialist testing providers will (rightly) grow in strength and popularity as businesses recognise the need for the best possible security, and moreover the best and most cost-effective solution for it. Automation will grow in scope and efficacy, but will still not be able to cover all necessary areas of testing.
Security is a necessity. Good security protects customers from data theft; it protects hardware and software from critical vulnerabilities, and it protects organisations from falling foul of ever more stringent regulations. The first and most important step to ensure good security is to employ good security testing, especially for the financial services industry, where expectations are arguably at their highest on all sides.