How to build a online bank?

[jezzad]

How do the likes of FNB, Standard Bank etc build, maintain and secure their online banking portal?

Im interested in the systems they have in place to secure their site and credibility?


Im going to assume they would have a team on in house developers, would people would need to be background checked?

Secure physical working environment (access control)

Dedicated QA and testing team with actual devices?

Numerous policies to control deployments with different user rights and sign offs required?

Code reviews to check for vulnerabilities and potential back doors?

More than one person would need to sign off a deployment?

Would they limit the use of mobile devices and USB drives?

How does an update get pushed? Is this done by a version control that requires more than one approval?

 

[MickZA]

I know someone in their team but she reckons that if she told me she'd have to kill me

 

[^^vampire^^]

You get all these wonderful ideas about source control, process, structure etc etc and then you work at a place like this and...

* You find the people working on the source control don't know how it works so every commit is a ****up
* The processes start at the beginning of the project and everything becomes RAD anyway (happens all over the world so don't be scared)
* Anything needing approval usually just gets scrapped as there is such a long chain of sign off that you only get the go ahead months later, that's if the stuff doesn't get lost along the way and you have to start again.
* There is only one person that has researched the likes of teamcity and they built the first build file, meaning everything being deployed is at the mercy of that.
* Most things are run by people in different departments using excel files which they send to you to process.
* After 2 weeks you build a tool that processes all these different files so that you can log 8hrs for processing files when it now takes 8min
* You wind up reading stuff on the internet and hoping you die because the job is so boring
* The site is secured by only one db admin being allowed to run scripts, he has been there for years and the only one left who actually knows how things work. There is also SSL and some password hashing that someone found on Stack Overflow
* Testing would be mine and Jeffs Samsungs, the bosses apple and that random ipad someone left in the corner 2 months ago.

 

[Hamster]

How do the likes of FNB, Standard Bank etc build, maintain and secure their online banking portal?

Im interested in the systems they have in place to secure their site and credibility?


Im going to assume they would have a team on in house developers, would people would need to be background checked?

Secure physical working environment (access control)

Dedicated QA and testing team with actual devices?

Numerous policies to control deployments with different user rights and sign offs required?

Code reviews to check for vulnerabilities and potential back doors?

More than one person would need to sign off a deployment?

Would they limit the use of mobile devices and USB drives?

How does an update get pushed? Is this done by a version control that requires more than one approval?

You'd be surprised how inefficient some of these teams are. But, the one bank I worked for:

Mix between permanent staff and contractors (for heavy lifting)
NDAs all round
All financial interests declared, embargo periods where certain shares may not be traded.
Source control - I moved them from TFS to Git
Code reviews - introduced the concept via Bitbucket Server/Stash
Release - automated their copy paste process.
CI - Jenkins, gocd

Other teams of contractors switched other departments to Chef.

Departments tend to work in isolation hence very different ways of doing things per department including security. There is/was an initiative to use centralised security. We kept ours as fallback, made use of her tokens etc.

-----------

Or like one of the newer bank's you could just make use of a bank component written by SAP

 

[Hamster]

Would they limit the use of mobile devices and USB drives?

How does an update get pushed? Is this done by a version control that requires more than one approval?

A certain red bank is very strict on third party devices including laptops. A certain blue bank allowed (by turning a blind eye) us to install Linux and go nuts on our own machines.

Publishing: there's this thing called a CAB meeting where everybody up the ladder makes sure their voice is heard and that their ads is covered. Once this hours long meeting is done you get a release date and time. If anything changes in that time you need approval again.

Banks are a pain the the ass to work for.

 

[Necropolis]

Go have a look at what is required to pass a PCI DSS audit - that'll give you a good idea of what they should be doing.

 

[rward]

With someone else's money...

 

[abvrnd]

I think you would sash your cash under your mattress if you knew what went on behind closed doors...

 

[Mr Scratch]

I think you would sash your cash under your mattress if you knew what went on behind closed doors...

lol - what are you implying?

 

[Hamster]

lol - what are you implying?

Don't code where you eat

 

[Solarion]

How do the likes of FNB, Standard Bank etc build, maintain and secure their online banking portal?

Im interested in the systems they have in place to secure their site and credibility?

The only person who would know that would be the IT Manager.

Im going to assume they would have a team on in house developers, would people would need to be background checked?

Yes and yes. Quite a big team +- 25 IT techies and devs usually at the head office.

Secure physical working environment (access control)

Yup

Dedicated QA and testing team with actual devices?

Yes

Numerous policies to control deployments with different user rights and sign offs required?

Yes

Code reviews to check for vulnerabilities and potential back doors?

Always

More than one person would need to sign off a deployment?

Usually the head developer, the project manager, the IT Manager, then the COO.

Would they limit the use of mobile devices and USB drives?

Not allowed on site.

How does an update get pushed? Is this done by a version control that requires more than one approval?

Exactly that.