»  Welcome   »  Projects   »  Financial

Financial

Madison Gurkha performs high profile projects for large organizations (quoted on the stock exchange). On this page you will find some examples of projects in the financial sector. References can be provided in the final stages of the decision making process of hiring Madison Gurkha.

Pension fund

Project: Grey Box Application Audit Pension application and Black Box audit IT infrastructure.
Technology: Java (web application)

Like many organizations, this pension fund offers her members the opportunity to look into their own personal data. Portals like these are becoming more and more popular these days. In many occasions, the underlying applications were not developed for "external" use. This seemed to be also the case for this pension fund. The IT infrastructure was perfectly fine. This could not be said of the application however. It was possible in several ways to gain access to, and change personal data from any other member in the system. The biggest problems were caused by poor session management, badly implemented input validation and cross site scripting.

After a thorough revision of the software, Madison Gurkha had diagnosed after a re-audit that the earlier risks had been efficiently solved. Our findings motivated this pension fund to train their developers through our secure programming training, so future occurrences of serious problems could be reduced significantly.

Bank

Project: Grey Box Application Audit E-Banking application
Technology: Java (client/server) decompilation

This bank has been using a generic ebanking application for some time. This application was to be managed by another company through an outsourcing contract. The new party who was going to manage this system wanted to know if this application was safe. This application proved to be anything but safe.

Even though the application looked bulletproof on paper, serious implementation and programming errors were made. Part of these errors became visible after decompiling the java-client. Madison Gurkha could successfully transfer money from one random account to the other without any form of authentication. The bank has been lucky this error had not yet been discovered by malicious users. Obviously, the concerning application has been modified.

International banking organization

Project: Crystal Box Application Audit E-Banking application
Technology: Java (client/server) decompilation

This international banking organization has always made IT security a top priority. Trying to find weaknesses in an apparently safe solutions often leads to challenging projects for Madison Gurkha with this client. This case provided us with a very safe and, so it seemed, impenetrable solution. After decompilation of a Java-client we noticed that the client-side was going through several checks during the process. After removing these checks and further analyses of the client/server-traffic, it became possible to access data which we were not authorized to access. After some further exploration, it even became possible to create unauthorized transactions within the database. It takes a lot of technical knowledge, creativity and perseverance to successfully execute these kinds of audits. This also shows that tools, even though we also use them frequently, can never replace a good IT security consultant.

Banking organization

Project: Crystal Box Security Audit Web application with code inspection and Secure Programming Training
Technology: Web application .Net / C#

This banking organization develops its own applications. One of these web applications was audited by Madison Gurkha. During the audit, we trained two developers of this banking organization. This way, a lot of tests can be imbedded in the internal testing process of the organization. The outcome of the audit was also a case study during the in-company Secure Programming training that Madison Gurkha provided for the programmers. This way, the programming errors that are shown are well-known, optimizing the learning process. This working method ensured that a .NET application has become significantly safer, the organization learned to perform certain tests and the programmers were trained.