This week's book giveaway is in the Agile and Other Processes forum.
We're giving away four copies of DevSecOps Adventures: A Game-Changing Approach with Chocolate, LEGO, and Coaching Games and have Dana Pylayeva on-line!
See this thread for details.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Paul Clapham
  • Devaka Cooray
  • Tim Cooke
Sheriffs:
  • Rob Spoor
  • Liutauras Vilda
  • paul wheaton
Saloon Keepers:
  • Tim Holloway
  • Tim Moores
  • Mikalai Zaikin
  • Carey Brown
  • Piet Souris
Bartenders:
  • Stephan van Hulst

Security for a banking web app

 
Ranch Hand
Posts: 622
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello Members

I am working on a web project for a finance company whose functions would be similar to those of banks. So, i am concerned about the security.
This would be my first project where main concerned would be security as the app would be hosted in the server.
I think i need to go for SSL, that's for sure. Please give your suggestions as per security.

Thanks
 
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I see a fair number of questions pop up here where folks ask about what they need to do to make a web app secure, but security for a financial site is on a whole different level. With all due respect, if you never seriously worked on security then you're in way over your head. This sounds harsh, but it is quite easy to create an insecure system, and quite hard to create a secure one. Any talk of specific technologies would be premature before you have a good grasp of the issues; start reading here: https://coderanch.com/how-to/java/SecurityFaq. It has a section on web apps (and everything that it contains would be relevant), but a lot of the other things as well. Don't even think about working on the real site before you can explain what XSS and SQL injection are, and have created an unprotected example web app that was vulnerable to those, and you were successful in exploiting that vulnerability, and then patched it. And finally, don't start working on the site at all until the security architecture is in place - security is something you can't bolt on later, it needs to be baked in from the beginning. I realize all this sounds discouraging, but security is a serious and complicated subject, not just another "feature" that can be added at will, or without a good understanding of the issues.

Lastly, since you said that this is a bank-like site, you need to ascertain whether the organization needs to comply with PCIDSS (which adds a whole different level of requirements, including administrative and organizational changes).
 
Kunal Lakhani
Ranch Hand
Posts: 622
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks Ulf

Thanks for your valuable suggestion. Started reading securityfaq
 
Bartender
Posts: 1166
17
Netbeans IDE Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You can learn a lot from reading books and articles but that will not create a secure system. You have a very very steep learning curve and I will pretty much guarantee that you will create an insecure system unless you take advice from a well regarded security consultant. A forum such as this can help with the mechanics of security but you need more than that.

Some advice I was given many years ago by a security consultant employed to assist with the security of a web site for a major credit card company - make sure you protect your ass and voice any security concerns, no matter how small, in writing to your line managers.

reply
    Bookmark Topic Watch Topic
  • New Topic