Financial sector: Cybersecurity testing of applications for a financial institution
SEARCH ENGINE

Enter a search phrase

Service desk Contact Search
EN/PL
Polski English
Author: Mateusz Włodarczak
Publication: 2024, Better Business
Financial sector

Insurance policy for security

Cybersecurity testing of applications for a financial institution

An insurance company that is part of an international financial institution is developing its applications that support its main business processes – insurance policy sales and benefits handling. All for One Poland provided support in the cybersecurity area, conducting intrusive penetration testing of an application dedicated to handling the company's insurance policy lifecycle process.

An insurance company that is part of an international financial institution is developing its applications that support its main business processes – insurance policy sales and benefits handling. All for One Poland provided support in the cybersecurity area, conducting intrusive penetration testing of an application dedicated to handling the company's insurance policy lifecycle process.

Advanced IT solutions support an organization’s efficiency and are often a key element of its competitive advantage. This is especially needed when high business scalability is required.

Our insurance client works with partners from various industries – banks, financial institutions, automotive companies, telecommunications operators, retail chains and e-commerce companies, which then sell insurance products to their customers. This requires adequate IT support – a challenge for developers, who must provide solutions that meet the needs of the business – primarily in the form of appropriate logic, graphical interfaces for partners and insured parties, or communication interfaces for exchanging data with external systems.

Each of the points of contact between the application and the “outside world" is at the same time a possible point of breach of the security of information processed in the applications – in the form of a cyberattack or even a user error. The effects of such incidents can vary, but in any case they would be harmful: incorrect or inconsistent data entered into the database, data leakage or unauthorized deletion – these are just a few examples of potential risks. Possible consequences of such incidents include temporary suspension of business operations, exposure to legal liability (e.g., GDPR, KNF (Financial Supervision Authority) guidelines) or contractual liability, financial and reputational losses for the organization.

Effective mechanisms to mitigate cybersecurity risks always need to be multi-level – from appropriate policies and procedures through good practices in the development of secure applications to infrastructure protection (including Web Application Firewall). A full set of these solutions is used by the client, and All for One’s task was to independently verify, through intrusive penetration testing, whether the organizational and technical measures taken were sufficient.

Web application pentests

As part of our cooperation with the client, the All for One Poland team carried out penetration tests of an extensive custom application used to support the insurance life cycle.

The assessment of the security of data processing in the insurance company’s application lasted several weeks. During that time we examined the system’s behavior, for example, in response to both typical and atypical user actions. We virtually played roles such as salesman, telemarketer or the insured, and we verified the application’s protection against unauthorized access.

Built with multiple web modules, various API endpoints, and file upload systems, the application required a thorough understanding and methodical approach to testing. The analysis performed covered both general security aspects, as well as specific risks related to customers’ personal data processing, financial transactions and other relevant areas from the insurance industry’s point of view.

Verified vulnerability areas

Our activities aimed not only to identify potential attack vectors, but also to provide a comprehensive security overview of the entire application ecosystem. In accordance with the OWASP methodology, our team focused on key vulnerability areas that could pose a risk to the integrity, availability and confidentiality of data stored and processed by the application. Such vulnerabilities included, but were not limited to:

Testing applications for code injection vulnerabilities includes:

  • SQL/noSQL Injection: testing applications for the possibility of injecting unauthorized SQL/noSQL commands through the user interface. The goal is to detect vulnerabilities that could allow unauthorized database access, data manipulation or deletion;
  • Cross-Site Scripting (XSS): analysis of applications in the context of vulnerabilities that allow attackers to inject a malicious script into pages viewed by others. These vulnerabilities can result in the theft of session data, redirecting users to malicious sites or performing other dangerous operations on the victim’s browser;
  • Other forms of code injection include testing applications to identify other less common but equally critical attack vectors, such as Command Injection (which allows arbitrary commands to be executed on the victim’s system) or XPath Injection, which allows queries to be manipulated into relevant sites or databases.

Testing applications to verify whether authentication and session management mechanisms are adequately protected against unauthorized access. The check includes password policies, session management and authentication mechanisms.

Evaluation of methods for storing and transmitting sensitive data in the tested applications to prevent its unauthorized disclosure. It focuses on data encryption.

Identification of weaknesses in tested applications resulting from default configurations, outdated software or incorrect permissions management. The goal is to detect vulnerabilities that could lead to unauthorized access or disclosure of data.

We meticulously evaluated file upload mechanisms to detect vulnerabilities that would allow attackers to send malware or other malicious content that could compromise the system or user data.

A key element of the approach used was manual testing, which allowed for an in-depth understanding of the application specifics. Penetration testing tools were used to support the automation of certain processes, however, the decisive factor was the individual approach of our team.

Report and re-test

After conducting the analysis, All for One Poland’s consultants provided a detailed and transparent report with evidence of the penetration tests, including recommendations for improvements. The client showed great determination to quickly implement the recommended changes. Additionally, we conducted consultations to improve the IT solutions in use. A follow-up re-test confirmed the successful implementation of the recommended fixes.

Recommended offer

Penetration tests IT Security
Write us Call us Send email






    1. Personal data is processed pursuant to Article 6 (1) (a) of the Regulation of the European Parliament and of the Council (EU) 2016/679 of April 27, 2016 – the General Data Protection Regulation
    2. The data controller is All for One Poland sp. z o.o. with its registered office in Złotniki, ul. Krzemowa 1 62-002 Suchy Las. Contact data of the Data Protection Supervisor: iod@all-for-one.com.
    3. Consent to data processing is voluntary, but necessary for contact. Consent may be withdrawn at any time without prejudice to the lawfulness of the processing carried out on the basis of consent prior to its withdrawal.
    4. The data will be processed for the purposes stated above and until this consent is withdrawn, and access to the data will be granted only to selected persons who are duly authorised to process it.
    5. Any person providing personal data shall have the right of access to and rectification, erasure, restriction of processing, the right to object to the processing and to the transfer of data, the right to restriction of processing and the right to object to the processing, the right to data transfer.
    6. Every person whose data is processed has the right to lodge a complaint with the supervisory authority, which is the President of the Personal Data Protection Office (ul. Stawki 2, 00-193 Warsaw).
    7. Personal data may be made available to other entities from the group that All for One Poland sp. z o.o. is part of – also located outside the European Economic Area, for marketing purposes. All for One Poland ensures that the data provided to these entities is properly secured, and the person whose data is processed has the right to obtain a copy of the data provided and information on the location of the data provision.

    +48 61 827 70 00

    The office is open
    Monday to Friday
    from 8am to 4pm (CET)

    General contact for the company
    office.pl@all-for-one.com

    Question about products and services
    info.pl@all-for-one.com

    Question about work and internships
    kariera@all-for-one.com

    This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.