The Importance of Pen-Testing for FinTech SaaS Applications
What is Pen-testing?
Short for penetration testing, pen-testing is a simulated cyber attack on your system to find weaknesses before attackers do. It is used to automate certain tasks, improve testing efficiency and discover issues that might be difficult to find using manual analysis techniques alone.
Who are OnSecurity?
OnSecurity replaces the overhead of traditional penetration testing firms with a simple online interface. This puts the client back in the driving seat, making it easy to book tests as and when needed.
Conor O’Neill, Co-founder & Head of Product at OnSecurity gave us an overview of how the company was born.
“OnSecurity was set up because we recognised that the pen-testing market was moving on at a much faster pace than traditional pen-testing vendors were able to keep up with. We identified a new generation of younger buyers who didn’t necessarily want to interact with a sales rep, who wanted to self serve, wanted faster turnaround times and expected a booking and delivery platform that would integrate with existing tooling.
OnSecurity was built around the needs of these types of young, fast-moving tech-focused businesses, and we try to be different from traditional vendors in everything we do. The vast majority of our clients book pen-tests in a matter of seconds via our platform, we operate flexible scheduling to enable us to keep very short turnaround times, and our testers report in real time as they find issues, so our clients can get to work on fixes straight away when we find something. We move rapidly, and we charge differently to traditional vendors (i.e. we don’t charge for re-tests, we don’t charge for reporting time, we bill by the hour not rounded up to the nearest day). This has really helped set us apart and grow rapidly.”
GECKO’s Experience with OnSecurity
OnSecurity’s online booking system allows users to book a test online within seconds without having to deal with scoping and authorisation forms. Full integration with our own tools and their real-time reporting provided us with full technical detail to speed up bug fixes.
We were immediately impressed with OnSecurity’s clear understanding of their industry and their client’s needs and pain points. It was also important to us that they were a CREST accredited service provider.
The key highlight of our experience was that we didn’t have to wait weeks until pen-test completion to receive pertinent feedback. All testing feedback was given in real-time.
This meant that if you had any issues, you could act fast and request a retest via their portal quickly and efficiently. Their accurate hourly billing and free re-testing ensured complete transparency of pricing with no hidden fees. Something which we at GECKO value greatly.
Importance of Pen-Testing
Pen-testing allows you to identify potential vulnerabilities in your application that may be exploited by bad actors. It is important that this kind of testing is carried out at regular intervals to maintain the security and integrity of your application.
As Conor explained, “Pen-testing is still, and will be for some time to come, one of the best tools available to businesses to protect their assets. This is because there is simply no substitute for a trained, experienced human pen-tester bringing all their focus to a single target for a sustained period of time. They will understand how an app is supposed to work, and how an attacker can subvert the logic of that application to cause potential harm to the business.
As an example of what we mean by this, recently we tested an online mortgage application platform. Our testers identified that once the mortgage was approved and signed off by the bank, it was possible to change the interest rate on the mortgage via the platform. A small bug, overlooked by automated scanners that could have had devastating financial consequences for the broker. Although it will happen someday, it’s probably going to be many years before automated solutions will be able to spot this kind of vulnerability.”
Data security and breaches are a concern across all industries; however, the financial services industry is a primary target of fraudsters due to the inherent value of the underlying data. This is why the team at GECKO Governance prioritise regular testing, assessment and evaluation of the effectiveness of the GECKO system, enabling us to understand operational tolerances and identify single points of failure that may lead to unacceptable disruption in the event of a cyber attack.
About GECKO Governance
GECKO Governance is a RegTech system for financial institutions, built by subject matter experts who can translate client’s systematic processes and activities into the software, providing definitive solutions to meet all compliance pain-points across a multitude of financial service areas on a global basis.
To learn more about GECKO Governance, please visit: www.geckogovernance.io