-1

I building an online banking service in ASP.NET and my objective is to implement all possible security measures. Currently at database level I am using RES 2048 bit encryption to encrypt database columns that contains confidential data. Also I am planning to use SSL on my network. I am protecting front end from CSRF and XSS attacks. I am also using password hashing while comparing. But I want a list of all security measures that can be done to protect a bank website completely. Can you suggest me that list?

Aishwarya Shiva
  • 121
  • 7
  • 4
    If you need to ask, you probably aren't qualified to do it. – Mark Nov 05 '14 at 09:32
  • Yeah m not qualified. But I am not building this site for an actual bank. I just want to present the security measures practically. My senior wants a project that implements all possible measures. – Aishwarya Shiva Nov 08 '14 at 05:29

1 Answers1

2

I would start by looking at the OWASP Top 10. Of course there is (a lot) more to it than just having a list. There might also be regulations in your country which should be considered. I highly recommend you to look into this first.

Have you thought about the following:

  1. Two factor authentication: How are you going to implement this? (Token list, SMS message, phone app, card reader with challenge response, certificate based)
  2. Implementing a strong authorization mechanism. (Consider using state, although many people think (REST) API's should be stateless, I totally disagree)
  3. Communicate to the back-end systems through API's. These API's should check if a user is authorized to perform this action (see #2)
  4. What actions can clients perform once they are logged in? (Think about upload functionality for example) Perform content scanning to detect malware and viruses. If for example pictures are required to be uploaded (a bill for example) consider to convert the picture (8 bit) in order to get rid of possible "payloads".
  5. Clients should be challenged when performing sensitive operations.
  6. Implement mutual authentication (also called two way SSL authentication) from the middle ware to the back-end systems.

These are just a few items to consider and the list is far from complete. I hope this gives you at least a start.

It is highly recommended to perform security assessments and secure code reviews on all of your code (regularly).

Another thing to consider is to have a security expert involved early in the process. My personal experience is that security professionals are generally asked to perform a security assessment when they want to go to production two weeks later.

Jeroen
  • 5,783
  • 2
  • 18
  • 26