Teîchos proposes two frameworks for penetration testing to spot security defects before the finance services are deployed in production and exposed to the internet.
From 2018, European banks have to open their information system to let 3rd parties interoperate with customers account information and payment services (PSD2 directive). A steady rise of cyber security incidents against the financial sector has been noted, resulting in significant economic damage and trust decreasing in financial institutions.Different types of security assessments can be used to discover vulnerabilities in banking systems and more specifically, weaknesses in new APIs for open banking and PSD2 compliance. Each assessment type fills looks at the system from different perspectives and angles and to get more complete picture an automated and integrated framework with state of the art tools is needed. Some vulnerabilities might only be found using one type of tools, while some other tests increase system risk due to the increased visibility. Each type and configuration of Teichos could and should be adapted to system and company needs. The two frameworks proposed follow complementary approaches, the white box and the black box approaches and have been tested respectively in a business to business and in a business to customer scenario.This approach is including exploration and dynamic inventory of trusted infrastructures. In this way, pentest reassessment is done when something changes in the monitored infrastructure and vulnerability report is more detailed with profiling and personalization options. Focus is also on orchestration of different types of testing and provision of configuration values for other modules in security information management