Internet Facing Bank Application

From Guidance Share

Jump to: navigation, search



  • Context: Large bank
  • App Type: Web application
  • App Function: Line of Business application – online banking
  • Deployment: Internet facing. Distributed N-Tier (web to remote app tier to database)
  • User base: >50,000 end users
  • App Team: >10 devs, 3 testers, 2 PMs, 1 Biz Analyst, 1 Architect + outsourced test team
  • Platform/Technologies: Win2003, SQL Server 2005, .NET Framework 2.0, ASP.NET 2.0, WSE 3.0.MSMQ, MF connectivity using different technologies

Context and Problem

Large solution provider was contracted by bank to build new web applicatiion from scratch to provide bank’s customers with online banking expirience. The application was to be built on recent MS technologies. Since the bank requiered the app to be built with security best practices the contructor turned to microsoft’s Security Engineering for help. Worth to mention that the project was in very progressive stages when Security Engineering team came in. We found that:

1. There is no common understanding what app security is built of. 2. There is no methodology for app security in place. 3. There are no time buffers left.


We presented Security Engineering approach to the client and the dev team thus establishing common ground for what app security is – based on Security Frame. We presented Security Engineering baseline activites [archinspection, tm etc] on top of project plan making sure that everyone understands that we have high ROI approach that is integrated into natural development life-cycle. During design inspection and threat modeling we discovered many high priority issues that were addresed immed before it would be discovered during pen testing or even worse when in production by attackers. We worked iteratevly without heavy interrupts for the project.

Also we did not use any propriatary methods or knowledge base – everything we did was based on Security Engineering from p&p enabling the dev teams to use it freely without being tight to MCS or other consulting bodies – neither in terms of knowledge and other resources nor in terms of IP and costs


  • Everyone talked common language in terms of “Security Frame”
  • PMs could see the schedule and our activites and investments – training, security design inspection,TM, code inspection, deployment inspection
  • Development teams easly navigated how-to’s looking for right solution for security issue.
  • Business Development Managers were presented with rated risk management tables for each aspect of app security ane was able to make decisions based on this
Personal tools