This week's book giveaway is in the Jobs Discussion forum.
We're giving away four copies of Java Interview Guide and have Anthony DePalma on-line!
See this thread for details.
The moose likes Security and the fly likes Security for a banking web app Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Java Interview Guide this week in the Jobs Discussion forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "Security for a banking web app" Watch "Security for a banking web app" New topic

Security for a banking web app

Kunal Lakhani
Ranch Hand

Joined: Jun 05, 2010
Posts: 622
Hello Members

I am working on a web project for a finance company whose functions would be similar to those of banks. So, i am concerned about the security.
This would be my first project where main concerned would be security as the app would be hosted in the server.
I think i need to go for SSL, that's for sure. Please give your suggestions as per security.


Ulf Dittmer

Joined: Mar 22, 2005
Posts: 42965
I see a fair number of questions pop up here where folks ask about what they need to do to make a web app secure, but security for a financial site is on a whole different level. With all due respect, if you never seriously worked on security then you're in way over your head. This sounds harsh, but it is quite easy to create an insecure system, and quite hard to create a secure one. Any talk of specific technologies would be premature before you have a good grasp of the issues; start reading here: It has a section on web apps (and everything that it contains would be relevant), but a lot of the other things as well. Don't even think about working on the real site before you can explain what XSS and SQL injection are, and have created an unprotected example web app that was vulnerable to those, and you were successful in exploiting that vulnerability, and then patched it. And finally, don't start working on the site at all until the security architecture is in place - security is something you can't bolt on later, it needs to be baked in from the beginning. I realize all this sounds discouraging, but security is a serious and complicated subject, not just another "feature" that can be added at will, or without a good understanding of the issues.

Lastly, since you said that this is a bank-like site, you need to ascertain whether the organization needs to comply with PCIDSS (which adds a whole different level of requirements, including administrative and organizational changes).
Kunal Lakhani
Ranch Hand

Joined: Jun 05, 2010
Posts: 622
Thanks Ulf

Thanks for your valuable suggestion. Started reading securityfaq
Richard Tookey

Joined: Aug 27, 2012
Posts: 1166

You can learn a lot from reading books and articles but that will not create a secure system. You have a very very steep learning curve and I will pretty much guarantee that you will create an insecure system unless you take advice from a well regarded security consultant. A forum such as this can help with the mechanics of security but you need more than that.

Some advice I was given many years ago by a security consultant employed to assist with the security of a web site for a major credit card company - make sure you protect your ass and voice any security concerns, no matter how small, in writing to your line managers.

I agree. Here's the link:
subject: Security for a banking web app
It's not a secret anymore!