- 21 August 2019 17:58
State of Application Security at Top 100 Global Fintech Startups
CB Insights has recently compiled a report entitled “The Fintech 250: The Top Fintech Startups Of 2018”. According to the report, the 250 companies have raised approximately $53 billion in aggregate funding across 947 deals. The report includes companies at different investment stages of development, from early-stage (seed/Series A) to well-funded unicorns.
Today, we’re observing a digital transformation and an increasing impact of emerging fintech companies on traditional banking models. Everyone has likely heard of Revolut, a prominent example of a game-changing unicorn. The rapid proliferation of uberization, blockchain, and AI technologies contribute to the overall disruption and trembles global financial industry.
Given positive feedback we have received about our research “State of Application Security at S&P Global World's 100 Largest Banks”, we decided to run similar research covering the top 100 fintech startups from the abovementioned CB Insights report.
This research aims to shed some light on the overall state of web and application security of the fintech companies and compare it with the results of traditional banks.
- 100% of the companies have security, privacy and compliance issues related to abandoned or forgotten web applications, APIs and subdomains.
- 8 main websites and 64 subdomains of the companies have at least one publicly disclosed and exploitable security vulnerability of a medium or high-risk.
- The most popular website vulnerabilities were XSS (Cross-Site Scripting, OWASP A7), Sensitive Data Exposure (OWASP A3) and Security Misconfiguration (OWASP A6).
- The oldest unpatched security vulnerability is CVE-2012-6708 impacting jQuery 1.7.2 being publicly known since 2012.
- 100% of the mobile applications contain at least 1 security vulnerability of a medium risk, 97% have at least 2 medium or high-risk vulnerabilities.
- 56% of mobile app backends (REST/SOAP APIs) have serious misconfigurations or privacy issues related to SSL/TLS configuration and insufficient web server security hardening.
- 62% of the companies failed PCI DSS compliance test even for their main website.
- 64% of the companies likewise failed GDPR compliance test for their main website.
Methodology and Data Sources -----------------------------
We leveraged an enhanced methodology from our previous banking research that covered web and mobile application security of world's 100 largest banks by S&P Global Ratings.
Using OSINT discovery and non-intrusive testing techniques, we carefully studied external web applications, APIs and mobile apps of the companies from the above-mentioned CB Insights report that encompasses companies from 6 regions and 17 countries.
The following external assets and applications of the companies were tested during the research:
- Main websites (the “www.” domain) - 100 - Subdomains (e.g. “subdomain.example.com”) - 3580 - Mobile applications - 61 - Backend APIs of the mobile applications - 1444
We conducted various non-intrusive security, privacy, and compliance checks. All of the testing tools are available online and can be freely used to reproduce the results of the research as well as to validate improvements after remediation of the described security flaws
PCI DSS compliance testing covered Requirements 2.3, 4.1, 6.2, 6.5 and 6.6 of the most recent version 3.2.1 of the standard (assuming the websites fall within the Cardholder Data Environment).
GDPR compliances testing covered Article 5 Section 1, Article 5 Section 2, Article 6 Section 1, Article 6 Section 4(e), Article 7, Article 25 Section 1, Article 32 Section 1(a)(b)(d) and Article 35 Section 7(f) of the enacted regulation (assuming websites handle and/or store PII of the EU residents).
Non-intrusive Software Composition Analysis (SCA) of Open Source and proprietary web software verified fingerprinted software versions for publicly disclosed vulnerabilities from the OWASP Top 10 list.
Additionally, Content Security Policy (CSP) and others security and privacy-related HTTP headers were audited.
Domain security and malicious squatting are as well covered in this research.
Website Security ----------------------------- Only 2 main websites had the highest “A+” grades both for (1) SSL encryption and (2) website security fully meeting applicable PCI DSS and GDRP compliance requirements:
- Brex Inc (www.brex.com) A+ - N26 GmbH (N26 Inc) (www.n26.com) A+
On the remaining main websites we identified 64 security issues related to outdated web software or its components. One website had as many as 17 outdated JS libraries and other external software components.
On average, each website contained at least one third-party component, such as JS library, web framework or other third-party code.
Grade Qty Brief explanation (see above for detailed methodology) A+ 9 No single issue or misconfiguration found A 37 Minuscule issues found or slightly insufficient security hardening B 15 Several minor issues or insufficient security hardening C 33 Security vulnerabilities or several serious misconfigurations found F 6 Exploitable and publicly known security vulnerabilities found
Given the importance of the main website, as many as six failing “F” grades are an alarmingly important number.
The situation is, however, considerably worse with the subdomains. In total, we have identified over 2,474 outdated software components across the tested subdomains. Brief numbers related to subdomain insecurity are provided below:
- 1,074 of the subdomains had at least one outdated software component - 64 subdomains had at least one outdated software component with exploitable vulnerabilities - The oldest vulnerable CMS is WordPress 4.7.1 with 26 publicly known security issues so far
Below are website security grades for the subdomains:
Grade Qty Brief explanation (see above for detailed methodology) A+ 277 No single issue or misconfiguration found A 1134 Minuscule issues found or slightly insufficient security hardening B 554 Several minor issues or insufficient security hardening C 1551 Security vulnerabilities or several serious misconfigurations found F 64 Exploitable and publicly known security vulnerabilities found
SSL/TLS Encryption Security -----------------------------
Implementation and configuration of the HTTPS SSL/TLS encryption is remarkably well done. Only one main website scored with a “B” grade, while all others received laudable “A” or even the highest possible “A+” grades:
Grade Qty Brief explanation (see above for detailed methodology) A+ 38 No single issue or misconfiguration found A 61 Minuscule issues found or slightly insufficient encryption hardening B 1 Several minor issues or insufficient encryption hardening
Similarly to the website security issues described above, the situation with HTTPS encryption on the subdomains is alarming. As many as 93 subdomains had the failing “F” grade, 537 had an untrusted or expired SSL certificate:
Grade Qty Brief explanation (see above for detailed methodology) A+ 517 No single issue or misconfiguration found A 1060 Minuscule issues found or slightly insufficient encryption hardening B 150 Several minor issues or insufficient encryption hardening C 26 Security vulnerabilities or several serious misconfigurations found F 93 No encryption, SSLv3 or exploitable security vulnerabilities found
PCI DSS and GDPR Website Compliance -----------------------------
As many as 62 websites failed the applicable requirements of the PCI DSS compliance test. The major cause was outdated open-source and commercial software and its components (Requirement 6.2).
Usage of Web Application Firewalls -----------------------------
A Web Application Firewall (WAF) was used on 95% of the main websites, a remarkably high number.
Mobile Applications and Backend APIs -----------------------------
We discovered and audited 61 mobile applications handling personal, financial or otherwise sensitive data. All of the mobile apps were tested for Mobile OWASP Top 10 security and privacy issues. Given the sensitive nature of financial and other data handled by these applications, we find below-mentioned statistics quite frustrating:
- 100% of the mobile applications contained at least 1 medium-risk security vulnerability - 97% of the mobile applications had 2 or more medium-risk vulnerabilities - 3% of the mobile applications contained at least 1 high-risk security vulnerability
Three most common OWASP Mobile Top 10 security issues were:
- M1: Improper Platform Usage (299 issues) - M2: Insecure Data Storage (210 issues) - M7: Client Code Quality (153 issues)
Supplementary, we tested web security and SSL/TLS encryption for the mobile backend APIs where users’ data is being sent to or is received from. The most popular grade was almost-failing “C”, highlighting a widespread and insufficient prioritization of mobile backend security:
Grade Qty Brief explanation (see above for detailed methodology) A+ 64 No single issue or misconfiguration found A 327 Minuscule issues found or slightly insufficient security hardening B 232 Several minor issues or insufficient security hardening C 812 Security vulnerabilities or several serious misconfigurations found F 9 Exploitable and publicly known security vulnerabilities found
SSL/TLS encryption of the data sent and received via the APIs is considerably better, though 9 backend APIs contained exploitable vulnerabilities or used clear text HTTP protocol instead of secure HTTPS:
Grade Quantity Brief explanation (see above for detailed methodology) A+ 128 No single issue or misconfiguration found A 292 Minuscule issues found or slightly insufficient encryption hardening B 34 Several minor issues or insufficient encryption hardening C 12 Security vulnerabilities or several serious misconfigurations found F 9 No encryption, SSLv3 or exploitable security vulnerabilities found
Trademark Infringement and Brand Abuse -----------------------------
We detected that 90 out of 100 companies are victims of cybersquatting, having at least one domain taken over by competitors or unscrupulous third parties to steal web traffic.
We also identified that 86 companies have at least 1 typosquatted domain forwarding inattentive users to spam gateways, adult-oriented shops or even websites infected with malware and ransomware.
Below is a visual comparison of the FinTech companies from this research with the largest banking institutions from our previous research:
Benchmark: Fintech / Banks
Main websites with the highest “A+” grades: 9% / 4% Main websites with the failing “F” grades: 6% / 5% Subdomains with “A+” grades: 7,7% / 2,5% Subdomains with “F” grades: 1,7% / 11% SSL encryption of the main websites with “A+” grades: 38% / 25% SSL encryption of main websites with “F” grades: 0% / 13% SSL encryption of subdomains with “A+” grades: 28% / 15% SSL encryption of subdomains with “F” grades: 5% / 15% PCI DSS compliant main websites: 38% / 62% PCI DSS compliant subdomains: 40% / 37% GDPR compliant main websites: 36% / 39% GDPR compliant subdomains: 13% / 12% Main websites protected with a WAF: 95% / 92% Subdomains protected with a WAF: 65% / 53% Mobile apps with high-risk vulnerabilities: 3% / 20% Mobile backend API encryption with “A+” grade: 27% / 15% Mobile backend API encryption with “F” grade: 1,9% / 6%
Such an alarming discrepancy probably stems out from the following factors:
Incomparably larger, complicated and long-existing IT infrastructure of the banks is much harder, longer and expensive to inventory, maintain and protect Business-critical legacy applications and omnipresent in the banking industry, while startups usually build their technology from scratch avoiding many challenges of compatibility
Decision-making processes, exacerbated by a growing number of regulatory frameworks and compliances, is much longer in the banking industry
Not that infrequent, FinTech startups have comparatively larger and virtually uncontrolled funds to invest into cybersecurity and talent acquisition after raising money from generous investors
Recommendations and Conclusion -----------------------------
Ilia Kolochenko, CEO and Founder of ImmuniWeb, says: “The research emphasizes spiraling cybersecurity challenges faced both by dynamic fintech companies and well-established financial institutions.
“At first glance, the fintech industry is doing comparatively better, however, if we correlate the quantity and complexity of managed IT systems per organization, the conclusion may unequivocally differ in a favor of the banks. Nonetheless, the numbers from the research positively emphasize a decent level of cybersecurity amid the fintech companies, evidencing commitment and care.
The research likewise highlights that lack of visibility is one of the most widespread, detrimental and sometimes almost insurmountable obstacles in the way of coherent and holistic information security. Given the mounting proliferation of cloud and containers technologies, outsourcing of business-critical processes and data sharing with numerous third-parties, incomplete visibility will likely remain information security’s Achilles’ Heel.
At ImmuniWeb, we are firmly committed to tackle and disperse these grey areas with ImmuniWeb Discovery. It is tailored to illuminate external attack surfaces, provide measurable risks and actionable security ratings, and enable a well-informed and data-driven decision-making process.”
ImmuniWeb suggests the following recommendations to avoid most of the security issues detailed in the report:
1. Consider implementing Gartner’s CARTA strategy to enhance your cybersecurity.
2. Maintain a holistic and up2date inventory of assets located in your external attack surface, identify all software and its components used there, run actionable security scoring on it to enable threat-aware and risk-based remediation.
3. Implement continuous security monitoring of your external attack surface, test your new code before and after deployment to production, start implementing DevSecOps approach to your application security.
4. Consider leveraging Machine Learning and AI capacities to handle time-consuming and routine processes, freeing up your security personnel for more important tasks, suggested reading: “4 Practical Questions to Ask Before Investing in AI”.
Read more at: https://www.immuniweb.com/blog/fintech-application-security.html