How sensitive software are built like a bank software?

GeorgesRemi · July 11, 2023, 1:57pm

Hi

About sensitive software for banks , energy , etc… these app can not have bugs or security vulnerabilities but every software must have these two problems so how they avoid these problems ?

DaveMaxwell · July 11, 2023, 2:14pm

Testing, testing, more testing and oh, and did I mention testing? Unit tests, User tests, Penetration tests, etc.

Critical industries like that also have national standards which must be adhered to, which is essentially another layer of testing.

tracknut · July 11, 2023, 3:04pm

Some of those standards also dictate the architecture/design of your servers and network, and along with testing will require you to have regular audits with reports going back to some agency.

GeorgesRemi · July 11, 2023, 3:58pm

Thanks guys I understand now

m_hutley · July 12, 2023, 10:34am

I actually work in this industry, as a QA.

You’ll find that financial institutions are using very “old” systems for the most part on some of their equipment. Up until last year, many of them were running Windows 7, and Windows Server 2012, if not older. And the only reason they’ll have moved up to Windows 10 (Granted, a very old version of it) will be because Windows 7 stopped receiving Extended Support. (Items such as financial institution devices receive the longest possible support from Microsoft, because they’re intended to be less frequently updated/replaced.)

This also means that the systems have had time as well as effort to find and fix vulnerabilities. Yes, some still exist, and you read about them in the papers sometimes, because inevitably something slips through QA, that’s the nature of the beast.

Financial software also goes through certification by external standards - what used to be known as the PA-DSS (Payment Application Data Security Standard), and is now being replaced by the PCI Software Security Framework (SSF). Software that is to be issued to financial institutions by major vendors must be certified and on the list of Validated Payment Applications. These certifications are like having the IRS audit your tax returns - an entire team is sent to audit your software and practices to make sure they’re compliant.

Thallius · July 12, 2023, 10:53am

I have no experience with banking software, but I know, that for example big airplane constructors are using their own certified operating system. Exspecially for military planes it’s even more restricted. I know of one company which is still using a VxWorks version from the 80ths because they can be sure it is nearly impossible to hack it because it has very limited network features