Hacker Newsnew | comments | show | ask | jobs | submit login

I've worked on financial systems before. As others have stated, if you're dealing with real money, then you have a big bulls-eye painted on your forehead, and you need to make sure that your system is hardened.

I don't know if you're already doing these things, but I'll just throw them out there and let you ignore them if you do.

Make sure you understand attack vectors and protect against them. XSS, SQL Injection, man-in-the-middle, etc. Make sure your passwords are salted and hashed.

Auditing. Can't emphasize this enough. Things will go wrong, and when they do, you need to be able to tell when, where, and why. In our case, we had shadow tables in our database where we logged changes, and then consolidated and exported that data into an auditing system. We could confirm that a user made X change at Y time from Z IP address.

Also, a bit of a newbie mistake that I see from time-to-time. Don't use double or float with money.




>Make sure your passwords are salted and hashed.

Better, use bcrypt:

http://codahale.com/how-to-safely-store-a-password/

Or if you really want to go pro, use Colin Percival's scrypt:

http://www.tarsnap.com/scrypt.html

-----


I have already been using salted BCrypt since day one. I know how important security is.

-----


If you're not already, use Devise.

https://github.com/plataformatec/devise

It's ballin'. Bcrypt by default, too.

-----


Devise has too many features that I don't really need. I followed Ryan Bates's advice - use nifty:authentication generator.

-----


You can choose which features you use. For instance, I've never used the single sign on/access token functionality. The reset password, account lockouts, etc. are awesome.

-----


Salting is unnecessary.

-----


Don't forget CSRF, and don't do destructive actions via GETs.

-----


Most actions are RESTful, and CSRF is Rails' default.

-----




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: