Assess The Security Of Your Online Bank (Without Going To Jail)

No ratings

Presented at ShmooCon 2007 by

Chuck Willis

As security professionals and hobbyists, we like to test and break software. For most software, we can satisfy our curiosity by installing it on our own machine and attacking it in a variety of manners. Unfortunately, this is not possible for most Web applications which can only be accessed on someone else's system. Further, security of these Web applications is important because they are used to conduct a variety of critical functions. So how can we satisfy our curiosity without attacking someone else's system and running afoul of the authorities? How can we make an informed decision about whether our bank or other service provider is security conscious enough to justify our business? This presentation will answer these questions by describing how you can legally examine any online Web application and its security features (or the lack thereof) to make a better guess as to the application's security.