Fixulate authors have years of experience in assessing the security design of critical systems implemented at some of the UK's leading financial organisations. This includes:
- FIX Engines
- Order Management Systems
- Execution Management Systems
- Algorithmic Trading Engines
- Order Routing Systems
- eBanking
- Mobile Applications
The blog will be taking a look at common security vulnerabilities and mis-configurations often overlooked during the design and development process.
Fixulate is a technical blog taking a look at the FIX (Financial Information Exchange) Protocol from a security perspective. While there is a wealth of information published on how to implement FIX in various configurations that enhance speed, availability, latency and throughput, the security work in this field is a little thin on the ground at best.
To get started I have compiled a list of recommended reading from what is already out there on the web, if you would like to have something of yours published here please send me an email:
The information that does detail security issues (mainly from the Fix Protocol Ltd website) generally covers the use of end-to-end encryption (PGP, SSL) to ensure confidentially and integrity of the FIX data in transit. While this is indeed good security practice we are however increasingly seeing companies dropping the use of encryption in favour of speed and ultra low latency. Now that the FIX engine endpoints are more exposed than ever it is important for organisations to know about vulnerabilities that may exist in their most critical IT systems.
Some topics that we will be covering very soon include:
If there is a specific concern or area of FIX security you would like to know more about please add a comment to let us know; we will try our best.
Fixulate is a technical blog taking a look at the FIX (Financial Information Exchange) Protocol from a security perspective. While there is a wealth of information published on how to implement FIX in various configurations that enhance speed, availability, latency and throughput, the security work in this field is a little thin on the ground at best.
To get started I have compiled a list of recommended reading from what is already out there on the web, if you would like to have something of yours published here please send me an email:
- Fix Protocol White Paper - Fix Protocol Ltd
- Fix Security Powerpoint - Fix Protocol Ltd
- Technical Documents - Fix Protocol Ltd
- Exploiting FIX - SANS Whitepaper - Darren DeMarco
The information that does detail security issues (mainly from the Fix Protocol Ltd website) generally covers the use of end-to-end encryption (PGP, SSL) to ensure confidentially and integrity of the FIX data in transit. While this is indeed good security practice we are however increasingly seeing companies dropping the use of encryption in favour of speed and ultra low latency. Now that the FIX engine endpoints are more exposed than ever it is important for organisations to know about vulnerabilities that may exist in their most critical IT systems.
Some topics that we will be covering very soon include:
- Leased Lines - "Its leased so removing encryption must be OK"
- Discovering FIX endpoints - Hide and seek with opportunistic hackers
- Fuzzing FIX - Discovering vulnerabilities in a FIX engine and how to include security testing as part of your development life-cycle
- Traditional vulnerabilities in FIX software (Buffer overflows and Format Strings)
- "Web" vulnerabilities in FIX software (SQL injection and XSS)
If there is a specific concern or area of FIX security you would like to know more about please add a comment to let us know; we will try our best.
