Win a copy of Re-engineering Legacy Software this week in the Refactoring forum
or Docker in Action in the Cloud/Virtualization forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Security for a banking web app

 
Kunal Lakhani
Ranch Hand
Posts: 622
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello Members

I am working on a web project for a finance company whose functions would be similar to those of banks. So, i am concerned about the security.
This would be my first project where main concerned would be security as the app would be hosted in the server.
I think i need to go for SSL, that's for sure. Please give your suggestions as per security.

Thanks
 
Ulf Dittmer
Rancher
Pie
Posts: 42967
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I see a fair number of questions pop up here where folks ask about what they need to do to make a web app secure, but security for a financial site is on a whole different level. With all due respect, if you never seriously worked on security then you're in way over your head. This sounds harsh, but it is quite easy to create an insecure system, and quite hard to create a secure one. Any talk of specific technologies would be premature before you have a good grasp of the issues; start reading here: http://www.coderanch.com/how-to/java/SecurityFaq. It has a section on web apps (and everything that it contains would be relevant), but a lot of the other things as well. Don't even think about working on the real site before you can explain what XSS and SQL injection are, and have created an unprotected example web app that was vulnerable to those, and you were successful in exploiting that vulnerability, and then patched it. And finally, don't start working on the site at all until the security architecture is in place - security is something you can't bolt on later, it needs to be baked in from the beginning. I realize all this sounds discouraging, but security is a serious and complicated subject, not just another "feature" that can be added at will, or without a good understanding of the issues.

Lastly, since you said that this is a bank-like site, you need to ascertain whether the organization needs to comply with PCIDSS (which adds a whole different level of requirements, including administrative and organizational changes).
 
Kunal Lakhani
Ranch Hand
Posts: 622
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks Ulf

Thanks for your valuable suggestion. Started reading securityfaq
 
Richard Tookey
Bartender
Posts: 1166
17
Java Linux Netbeans IDE
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You can learn a lot from reading books and articles but that will not create a secure system. You have a very very steep learning curve and I will pretty much guarantee that you will create an insecure system unless you take advice from a well regarded security consultant. A forum such as this can help with the mechanics of security but you need more than that.

Some advice I was given many years ago by a security consultant employed to assist with the security of a web site for a major credit card company - make sure you protect your ass and voice any security concerns, no matter how small, in writing to your line managers.

 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic