Back in 2015 I wrote 2 blog posts where I examined the security posture of the major Australian banks. I have only focused on two aspects - HTTP security headers (the presence or absence of particular headers) and the login forms (password lengths, autocomplete etc). On one hand, this is not an in-depth research and it is certainly not a vulnerability assessment that I am sure all these banks regularly go through. On the other hand, it is a great indication if bank's development and security teams follow modern security practices and put enough effort into their online security. This may serve as an indirect indication of the overall security state of affairs in a given organisation.
I was curious to see if there were any changes (for better or for worse) during these last 2 years. HTTP security headers have really become mainstream and I expected the adoption rates to be higher.
TL;DR
 |
| Image source: http://blog.kulshitsky.com |
Scott Helme continued to evolve his great Security Headers web site that I used during my previous analysis. Similar to the Qualys SSL Server Test tool, he has added an overall rating, which I will add as a new column. Another nice addition is a new check for the Referrer Policy headers. If you haven't done it yet, make sure you go to Scott's securityheaders.io site to check HTTP headers emitted by your web site. Let me know if you need any help understanding or addressing any of the highlighted issues.
Let's see what Australian banks do in regards to HTTP security headers in February 2017
Results
| Bank |
Score
|
SecurityHeaders rating
|
Strict-Transport-Security
|
Content-Security-Policy
|
Public-Key-Pins
|
X-Frame-Options
|
X-Xss-Protection
|
X-Content-Type-Options
|
Server
|
X-Powered-By
|
X-AspNet-Version
|
|---|---|---|---|---|---|---|---|---|---|---|---|
| IMB | 5
(+5.5)
|
C | Yes | No | No | Yes, DENY | Yes | Yes | No | No | No |
| Bank West | 4
(-1)
|
C | Yes | Yes | No | Yes, SAMEORIGIN | Yes | No | No | Yes | No |
| Beyond | 3
(+3)
|
E | Yes | No | No | Yes, SAMEORIGIN | No | No | No | No | No |
| ING Direct | 3
(+2)
|
E | Yes | No | No | Yes, SAMEORIGIN | No | No | No | No | No |
| St George | 3
(+2.5)
|
E | Yes | No | No | Yes, SAMEORIGIN | No | No | No | No | No |
| Bendigo Bank | 2
(+2)
|
E | No | No | No | Yes, SAMEORIGIN | No | Yes | No | No | No |
| Teachers Mutual | 2
(+4)
|
E | Yes | No | No | No | No | No | No | No | No |
| CUA | 1.5 | E | Yes | No | No | No | No | No | Yes, CUA Server | No | No |
| Commonwealth Bank | 1 | E | Yes | No | No | Present but incorrect syntax ALLOW-FROM | No | No | Yes, Apache/2.4.6 (Red Hat) OpenSSL 1.0.1e-fips |
No | No |
| Newcastle Permanent | 1
(+2)
|
F | No | No | No | Yes, SAMEORIGIN | No | No | No | No | No |
| People's Choice Credit Union | 1
(+1)
|
F | No | No | No | Yes, SAMEORIGIN | No | No | No | No | No |
| P&N | 1
(+3)
|
F | No | No | No | Yes, SAMEORIGIN | No | No | No | No | No |
| Suncorp | 1
(+1)
|
F | No | No | No | Yes, SAMEORIGIN | No | No | No | No | No |
| Westpac | 1
(+1.5)
|
F | No | No | No | Yes, SAMEORIGIN | No | No | No | No | No |
| AMP | 0.5 | F | No | No | No | Yes, SAMEORIGIN | No | No | Yes, IBM_HTTP_Server | No | No |
| ANZ | 0.5
(+2.5)
|
F | No | No | No | Yes, SAMEORIGIN | No | No | Yes, |
No | No |
| Bankmecu -> BankAust | 0 | F | No | No | No | No | No | No | No | No | No |
| Greater | 0 | F | No | No | No | No | No | No | No | No | No |
| Heritage | 0 | F | No | No | No | No | No | No | No | No | No |
| Macquarie | 0 | F | No | No | No | No | No | No | No | No | No |
| Bank of Queensland | -2 | F | No | No | No | No | No | No | No | Yes, ASP.NET | Yes, 2.0.50727 |
Key findings
- Significant improvements over the last 2 years
- Only 1 bank is in the negative territory (previously 7)
- 7 banks have a score of 2 or above (previously only 1)
- Better adoption of security headers (group 1) by the banks.
- X-Frame-Options is the most popular header. 13 out of 21 banks (62%) have adopted it (previously only 4). I guess more security professionals recognise clickjacking being a real weakness.
- Great to see 8 banks out of 21 (38%) using HSTS (previously only 2)
- But not everyone who emits the HSTS header includes subdomains (includeSubDomains)
- And even less number of banks use the "preload" directive (which is a required step for HSTS preloading) - only CBA
- Content-Security-Policy is still not getting any traction. Only one bank - Bank West - has implemented CSP. CSP is a poweful defence-in-depth measure to prevent cross site scripting attacks, clickjacking and some other types of attacks.
- The situation with the group 2 headers is even better. Many banks that were in the second half of the table lifted their game and removed these unnecessary headers. Only 6 banks out of 21 still need to fix this issue (previously 12).
- There is still a long way to go.
- No one uses public-key-pins
- Only 2 banks serve the X-Xss-Protection header. This is the simplest and essentially zero risk header to implement!
- Only 2 banks use the X-Content-Type-Options header (previously none). This is another extremely simple header to implement.
- Understandably no one uses the Referrer Policy headers yet.
Additional comments
BankAust redirects from home page to a non-secure page. Why? Please fix this.CBA made a mistake in X-Frame-Options ALLOW-FROM syntax. There is no need for the equal sign there.
Previous winner Bank West was the only bank that has managed to get a lower score. One point was deducted for the presence of the X-Powered-By header. It's a simple mistake to make. It usually "returns" after a .Net patch installation.
We have a new leader. Congratulations to the IMB bank. They made a massive jump (+5.5 points) fixing all of the issues and introducing many of the recommended HTTP security headers. Well done!
No comments:
Post a Comment