AppSec US 2018 (Please, make sure you register to attend)

With the advent of electronic trading platforms and networks, the exchange of financial securities now is easier and faster than ever; but this comes with inherent risks. Nowadays not only rich people can invest in the money markets, but also anyone with as little as $10 could start trading stocks from either a website, a desktop application or a mobile phone

The problem is that this area of the fintech industry has not been fully under the cybersecurity umbrella. Sometimes we assume that a product is secure by its nature, such as technologies that are used to trade hundreds of billions per day, but security testing tells us a different story.

In this talk, vulnerabilities that affect millions of traders will be shown in detail. Among them are unencrypted authentication, communications, passwords and trading data; remote DoS that leave the applications useless, weak password policies, hardcoded secrets, poor session management, etc. Also, many of these applications lack of countermeasures such as SSL certificate validation and root detection in mobile apps, privacy mode to mask sensitive values, anti-exploitation and anti-reversing mitigations

Moreover, the risk of social trading will be discussed too as well as how malicious expert advisors (trading robots) and other plugins could include backdoors or hostile code that would be hard to spot for non-tech-savvy traders.

The analysis encompassed the following platforms, which are some of the most used ones:
- 30 Websites (7 focused on cryptocurrencies)
- 17 Desktop applications
- 34 Mobile apps

Finally, the gap between the security in online banking vs trading technologies will be clearly observed. There's still a long way to go to improve the security of the trading ecosystem, but the wheel is already invented and common security countermeasures could be applied.