I searched all over the internet trying to get a guidance about the security practices for a really secured site like an online banking site and didn’t find any.
My interest is to know what practices you are using in following areas:
- Communication: definitely using SSL … any extra tips to protect against “man-in-the-middle” attacks.
- Authentication: username + password + captcha + time limits + enforce regular changes.
- Navigation between pages: Is there such thing ?
- Prevent XSS and XSRF: already in the platform.
- Encrypt sensitive data on client and server: like what exactly ? should there be sensitive data on the client ?
- Fine tuned authorization: show/hide + execute commands + permissions.
- Auditing ? what ? and how this differs from logging.
- Page level security: prevent manipulation in page content (Do we actually need this?)
And how to detect penetration attempts ? Monitor IPs, Lock certain accounts … ?
Is there a way to test or simulate threats ?
I would start with PCI-DSS guidance as a baseline for protecting the data.
PCI-DSS is the Payment Card Industry Data Security Standard. It’s the industries first attempt to lay down guidelines for protecting data around the banking area. The guidelines are specifically for cardholder data, but are a great resource for protection of data in general. PCI requirements include yearly onsite audits, and quarterly network scans.
Another good resource is OWASP which offers guidance on security of web applications in general
OWASP goes into a lot of detail about how to perform threat modelling, test for (and correct) common vulnerabilities. For the quick start head to the OWASP Top Ten