Securing a financial application with a web interface

Question

I am in the process of designing an application that users will be able to log on remotely and use - via a web interface.

Security is of paramount importance (think credit card and personal banking type information)- so I need to make sure that I get the security aspect nailed down - HARD.

I intend to provide the application functionality via traditional (stateful) web pages , as well as web services.

For what its worth, I am intending to use web2py as my web application framework.

Is there a list of guidelines I can follow to make sure that I have all areas covered?

Answer 1

Your biggest threat, by far, is writing server-side webapp code that introduces vulnerabilities in your web application layer. This is not something you can checklist. For a starter, make sure you are 100% comfortable with the items in the OWASP Top Ten and understand how to code safely against them. If you are not expert in web application vulnerabilities, strongly consider hiring someone who is to help review the web layer. At the least, i would consider contacting a security testing company to perform some form of penetration testing, preferably with a code review component.

If you ever do anything with credit card data, you will need to comply with the PCI DSS which will require at least quarterly remote-testing from an Approved Scanning Vendor.

Answer 2

One stop shopping: https://www.owasp.org/index.php/Main_Page

Read that and take every suggestion to heart.

Answer 3

you should consider at least the following:

• authentication. getting users to log on in some manner. which authentication method they use depends on what you aim to provide

• privacy. making sure the information they send is only visible to them and your application and not an eavesdropper.

in the simplest case SSL can take care of both of the above. it will always provide encryption but can also be used to authenticate or at least make some simple authentication mechanism more secure. one thing to look at is security of ssl. ssl is suceptible to a man in the middle attack particluarly when the users already have a trust relationship with, say, their employer - who can them proceed to install an ssl gateway which is effectively a mim.

• authorisation. making sure users are only allowed to see what you want them to see and no more.

this really depends on technology you are using.

• non reputidation. making sure the user cannot dispute the actions they perform

this is a very open ended question. legally this is seldom (never?) used so it depends... something like signed logs of user requested actions for example is probably enough.