Fiserv, which provides financial technology for banks and other financial institutions, said it has fixed a weakness in a web platform. Brian Krebs wrote that the flaw in a Fiserv web platform, which some banks and credit unions use to operate online accounts, exposed some personal and financial details of customers. Commenting on this, Adam Brown, manager of security solutions at Synopsys commented below.
Adam Brown, Manager of Security Solutions at Synopsys:
To avoid this kind of issue Fiserv would have had to go back to their design. Web applications should never allow users to access objects or controls directly. Indirect object reference maps should be used. That knowledge would be part of basic security training all software engineers should go through.
Fiserv may have some angry corporate customers, but ultimately the risk lies with those very organisations as the controllers of their own and their customer’s data. That said, it’s likely that Fiserv, as data processors, will also be held to account by privacy watchdogs.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.