Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP Financial Real-Time Threats: Impacting Trading Floor Operations Dr Yiannis Pavlosoglou OWASP Project Leader Information Risk Management September 6 th, 2007

OWASP 2 Outline  Background  Motivation  Architecture  Findings  Scenario  Conclusions

OWASP 3 Background  PhD in Information Security  Emergence in Designing Routing Protocols  UK Security Scientist  DefCon 2007, IEEE, IEE, BCS, CISSP  Java Developer Background  J2SE, JEE  OWASP Project Leader  JBroFuzz  Employer: Information Risk Management, UK 

OWASP 4 Motivation “the cash desk, the derivatives desk, the program desk … bring them all together” “ Do you have trading technology that allows you to trade across every asset in every country? ” “Our traders can trade across multiple asset classes simultaneously” “We offer you the ability to trade from your PDA”  How long can you be out of the market for?

OWASP 5 Motivation  How long can you be out of the market for?  Regulatory requirements  Business loss opportunities  Liability issues regarding prices  Increase in number of people on the floor

OWASP 6 The Freakonomics of Security and Personel  Scenario: Member of Staff A, holds a password of ‘operational importance’ Technical Attack Approach  Password is stored in the form of a 128 bit hash  The cost of obtaining the hash would require an insider’s presence  To check for a single value would cost: $  To check for more than half of the values: ≈$ 184 million Human Attack Approach  Clerical A Staff Salary pays: $ 40 K / Year  A successful career of, say 25 years  Total Earnings: ≈ $ 1 million …

OWASP 7 Trading Floor Security Testing Architecture

OWASP 8 Trading Floor Security Testing Architecture Penetration Test Application Security Test Software Product Review Application Architecture Assessment Console Audit Test Application Assessment Network Assessment Secure Development Training Application Assessment Network Assessment VPN / RAS Test Firewall Review VPN / RAS Test Messaging System Audit

OWASP 9 Typical Assessment Findings

OWASP 10 Scenario Operational System Risk Assessment Initiated Initial Internal Assessment External Penetration Test

OWASP 11 Scenario Results External Penetration Test  A1: Cross Site Scripting  A2: Cross Site Request Forgery  A4: Web Application DoS  A7: Weak Session Cookies  A9: Insecure Communications Final Risk Assessment  A1: Non Internet Facing Application  A2: Scarce Data Manipulation Attacks  A4: Application recovers successfully  A7: Users not technical enough  A9: Internal Switched Network Fun and Profit Enterprise Attack  A4: Cause a Web Denial of Service  A1: Mass Internal Phishing  A2: Manipulate Data being on the fly  A7: Hijack administrator’s data  A9: Bounce data off mail gateway

OWASP 12 Conclusions  Complex “Enterprise Level” applications will experience “Enterprise Level” attacks  An application, subsystem or component must be able to withstand a targeted specialized attack  Simplicity is key for a Secure System Implementation