Jet Infosystems conducted an analysis of vulnerabilities in the DOBO system of Chelyabinsk Investment Bank

2021: Vulnerability analysis in the DBO system of Chelyabinsk Investment Bank

In respect of remote banking systems Chelyabinvestbank InvestPay, an analysis was carried out vulnerabilities on the requirements for the assessment level of trust 4 (CSA 4) in accordance with the requirements of GOST R ISO/IEC 15408-3-2013. The analysis was carried out by specialists, "Jet Infosystems" which the IT company reported on January 31, 2021.

During the project, a static and dynamic analysis source code of the InvestPay system was carried out to find potential vulnerabilities of the zero day (0-day) Internet-, bank as well as the architectural features of the system were investigated in order to eliminate architectural and already known vulnerabilities.

In addition, the specialists of the company "Infosystems Jet" performed testing for penetration (pentest) in relation to InvestPay in operating conditions identical to real ones. The Pentest was conducted to verify all potential vulnerabilities, checking the possibility and likelihood of their operation.

After analyzing vulnerabilities, a conclusion was made about the resistance of InvestPay to the attacks to violators in the given CDA 4 model. This means that the bank system is resistant to attacks by criminal groups, hackers physical persons, unscrupulous workers. bank

Based on the results of the analysis of the source code and penetration testing, changes were made to the source code of the InvestPay, as a result of which it was possible to increase the overall security of the system, as well as fulfill the requirements of the Bank of Russia regarding the security of applied payment software (683-P and GOST R 51583-2014).

"Assessment of the security of applied banking software in accordance with the methodology of the General Criteria (GOST R ISO/IEC 15408) is a new (as of the beginning of 2022 - approx. TAdviser) direction of regulation in the banking industry," said Nikolai Antipov, head of the consulting department of the information security center of Jet Infosystems. - Implementation of projects on new requirements of regulatory legal acts always involves certain difficulties related to interpretation of certain requirements and absence of law enforcement practice. Thanks to joint work with colleagues from Chelyabinsk Bank, we were able to resolve all the issues that arose during the project and confirm the compliance of the BBO system with the requirements of the Bank of Russia. For Jet Infosystems, the project in Chelyabinsk is not the first in this direction. However, the excellent experience gained on this project is already actively used in other projects to assess compliance with application software requirements. "