I searched all over the internet trying to get a guidance about the security practices for a really secured site like an online banking site and didn't find any. My interest is to know what practices you are using in following areas:
- Communication: definitely using SSL ... any extra tips to protect against "man-in-the-middle" attacks.
- Authentication: username + password + capatcha + time limits + enforce regular changes.
- Navigation between pages: Is there such thing ?
- Prevent XSS and XSRF: already in the platform.
- Encrypt sensitive data on client and server: like what exactly ? should there be sensitive data on the client ?
- Fine tuned authorization: show/hide + execute commands + permissions.
- Auditing ? what ? and how this differs from logging.
- Page level security: prevent manipulation in page content (Do we actually need this?)
And how to detect penetration attempts ? Monitor IPs, Lock certain accounts ... ? Is there a way to test or simulate threats ?