In our information society we have to take proper care of the data we generate, share and use. A substantial volume of information is available now that the world wide web has permeated our daily life. Depending on the configuration, publishers may serve users publicly or in a predefined domain.
Nowadays almost all financial institutions provide a web interface for online banking, which may also prove to be a vulnerability. External attacks aimed at customer data are frequent. At the same time internal employees, by abusing their rights, may also cause substantial financial damage and may ruin the reputation of the company. This inspired me to structure my thesis project around the security of banking database systems, where there are a lot of data to protect, a lot of functions and regulations on the proper functioning of the systems.
In my thesis project I provide security-focused specification, design, implementation and vulnerability assessment of a simplified, publicly and privately available banking application in a way so that the methods applied will be as general as possible.
During my work I specified several roles and functions, and assigned them to the data stored in the database. I designed the application, its data model and its data protection layer. There are two versions for the data protection layer: in the first version it is in the database tier, in the second it is in the business logic tier. I fully implemented the system with both approaches.
The main objective of testing is to check if data protection rules work properly under all circumstances; approximately 100 tests were carried out with 3 tools. The other goal of testing was to assess the vulnerability of the web application to internal/external attacks; this involved 50-60 additional tests.
It should not be forgotten that security rules may change in any way, which necessitates a data protection compliance check (with automated help). I have found that the optimal solution for development and maintenance time is ensured by the combination of the two security approaches.