Chapter 3
Twenty-First Century Heist
This chapter is based on a consulting engagement I performed a couple of years ago for a large international bank. They had never conducted this kind of pen test before, but I'd done a lot of other testing for them in the past so we had a sit-down to talk about what would be a good approach.
A bank has money. It's kind of the motherlode. Money is not only the asset to be protected but the resource that makes that protection possible. Banks prioritize security at every step, in a way that other organizations simply cannot: every build change in any technology, be it a web or mobile application, is reviewed both as a penetration test and a line-by-line code review. Every IP of every external connection is subjected to penetration testing once a year.