G
G
German Zvonchuk2015-05-12 09:25:32
Payment systems
German Zvonchuk, 2015-05-12 09:25:32

Where are security standards in web applications described?

Good morning.
I would be very grateful to you if you tell me what standards exist related to information security for Internet banking systems.
I have some tasks that I would like to solve according to security standards.
1) in the WEB in the authorization form, is it possible to put the "remember login and password"
checkbox 2) in the WEB in the authorization form, is it possible to put the "remember login" checkbox
3) whether it is necessary to store the IP addresses from which the authorizations were made
4) Is it necessary to assign expiration time for Tokens that are issued for authorization in iOS and Android mobile applications?
5) if a client does a "LOGOUT" on the mobile app, kill ALL tokens for that client?
6) Show issued tokens, time of issue and date of last use in the user's account?
The token is issued when you try to log in to the mobile application, provided that the sent login and password are correct.

Answer the question

In order to leave comments, you need to log in

6 answer(s)
G
g00dv1n, 2015-05-12
@g00dv1n

OWASP

S
sim3x, 2015-05-12
@sim3x

1) in the WEB in the authorization form, is it possible to put a birdie "remember login and password"
2) in the WEB in the authorization form, is it possible to put a birdie "remember login"
no, if he wants, then chrome/fox will ask the user
3) whether it is necessary to store IP addresses from which authorizations were made
costs. If you work with money - definitely. Try not to work with money without a sensible TL, from whom you can clarify the details
4) Is it necessary to set an expiration time for Tokens that are issued for authorization in iOS and Android mobile applications?
costs. But you can disrupt the business process with such security. It is better to use an additional request for a password - token for individual operations
5) if a client does a "LOGOUT" on the mobile app, kill ALL tokens for that client?
it is better to ask the client separately. Default setting to be agreed with the customer
6) Show issued tokens, time of issue and date of last use in the user's account?
costs. If you operate with money - definitely

A
Alexander Kubintsev, 2015-05-12
@akubintsev

If we are talking about Internet banking, then first of all we need to start from PCI DSS.

A
Artem, 2015-05-12
@ulkoart

You can start with ISO 2700 *, and then according to circumstances.

M
Maxim Kudryavtsev, 2015-05-12
@kumaxim

First - see the regulatory documents of the Central Bank. Directly open the site cbr.ru (which I found in 5 minutes of searching).
Further, the long-suffering 152-FZ "On Personal Data"
Also, do not forget about the RD SVT and RD AS (if you write the code)
, PCI DSS is the standard for Visa / MasterCard payment systems. If your bank does not work with cards (for example, you only work with settlement accounts of legal entities), then you do not need it.

D
DaNHell, 2015-05-21
@DaNHell

owasp
short, clear and tasteful
https://www.owasp.org/index.php/REST_Security_Chea...

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question