Problem solve Get help with specific problems with your technologies, process and projects.

Financials and the need for software regression testing

Attackers target financial-services websites, making it critical that financial firms include regression testing and version control in their software development practices.

Web application security best practices are critical for every organization and particularly essential for financial-services firms. Financial-services websites are prime targets for attackers and those with security flaws give criminals ample opportunity to abuse your online offerings and exploit your customers. Adhering to development and infrastructure management standards will go a long way to reduce an organization's risk posture, but there are key nuances, that if left unaccounted for, will reintroduce vulnerabilities and create undue liability. That's why software development version control and software regression testing should be inherent to your development practices in order to avoid having vulnerabilities and liability resurface.

"From our experience in assessing the security of websites, one of the primary reasons serious vulnerabilities are reintroduced is a lack of strict version control processes and regression testing," said Jeremiah Grossman, chief technology officer at WhiteHat Security, a Santa Clara, Calif.-based Web application security provider.

Version control (also called source control, revision control and source code management) ensures that code changes are clearly identified and associated by timestamp and developer. Version control gives developers the ability to review files previously committed to the code repository and if necessary, revert to earlier versions if a bug is introduced. This process can also work to ensure old bugs aren't reintroduced. Once code is considered stable and secure it can be tagged accordingly and all project efforts going forward work only from that code-stable declaration.

Software development version control is also critical to successful application regression testing. As defined by the Testing Standards Working Party, a volunteer group devoted to the development of new software testing standards, software regression testing is the act of retesting a previously tested program following modification to ensure that faults have not been introduced, reintroduced, or uncovered as a result of the changes made. Rix Groenboom's OWASP AppSec Europe 2006 presentation, Protecting Web services and Web applications against security threats,included these points about regression testing:

  • Software development is an iterative process.
  • An iterative development process fails without regression testing. The same applies to security.
  • Fixing a security vulnerability should be coupled with a policy and an enforcement mechanism to prevent it from recurring.
  • Regression testing practices result in a visible quality process that reinforces trust.

An example of failing to maintain proper version control and a lack of proper software regression testing recently surfaced. Last August, as part of my Online Finance Flaws campaign, I identified Web application security flaws in a website belonging to Minneapolis-based financial planning and services provider Ameriprise Financial Inc. After an unfortunate five-month lag time between when the vulnerability was reported to Ameriprise and its repair of the issue; Ameriprise made code revisions to prevent cross-site scripting (XSS) in the ColdFusion application serving Yet in late January, I received an anonymous report that the reflective XSS vulnerability (see Figure 1 below) had returned, specifically via the same offer_id parameter allowing the execution of JavaScript.


Had this vulnerability been more severe, perhaps leading to a data breach, the implications of reintroduced vulnerabilities could also resurface: brand and reputation damage, breach disclosure costs, etc.

A published report indicated that an Ameriprise spokesman downplayed the initial vulnerability report, saying it only affected one portion of the company's site and didn't put anyone at risk. However, the U.S. Department of Homeland Security found the Ameriprise XSS vulnerability redux significant enough to include it in its Feb. 3 Daily Open Source Infrastructure Report, a summary of open source published information on significant critical infrastructure issues.

The lesson here is clear: If you want to stay off DHS's list, demand version control and software regression testing from your development teams. While there are no guarantees of security, these are simple steps that can certainly improve security posture for financials, and all business sectors.

About the author:
Russ McRee is a senior security analyst, researcher, and founder of, where he advocates a holistic approach to the practice of information assurance.
Russ speaks and writes frequently regarding infosec topics, including toolsmith, a monthly column for the ISSA Journal.


Dig Deeper on SaaS and Web application security

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

OK, version control is crucial, but the notion of regression testing is weird. Regression testing (as it's typically done) is merely checking of existing conditions that were previously working, and that checking is not even aimed to cover the same breadth/depth as testing of new code.
It's extremely unlikely that new security threats might be uncovered with regression testing. Hackers are tirelessly looking for new exploits, and testing should tirelessly look for new risks.