Secure Financial Operations with ASP.NET

2012-05-02 by Marina Astapchik

The objective of this article is to show how we can build a secure application for providing financial operations.

First we start with architecture development.

To make our application secure, we can use a three-layer architecture. It means that we split our application into three layers: database layer, business logic layer, and presentation layer. These layers are illustrated on Figure 1:

Why doing this? From the image we can see that only the presentation layer is available from the web, so we minimize risks that our application will be broken by hackers, because the business logic layer has no access to the web. We can also improve this scheme by adding IP restriction for incoming requests on BL Server. Communicating with the presentation layer by using web services also enables us to make our presentation independent from the platform, and in future we will be able to add easily, for example, a mobile agent that will use the existing web services for work. Separate DB was also used for the previous aims, and we can as well add IP restriction. So, if you implement this scheme, you will do a great job to improve the security of your application.

Figure 1: Three-layer architecture

Next step for improving security with SSL.

By default all requests use HTTP protocol, which is not secure. All traffic is sent by http as a clear text, so anyone can “listen” to your server and collect all the necessary information. To prevent this, we use SSL that encrypts the channel between the browser and the server. When you configure IIS, you can notice several settings for SSL:

  • Ignore client certificate;
  • Accept client certificate;
  • Require client certificate.

When you use “Ignore client certificate” setting, your channel will be secure, but anyone can send a request to the server. This mechanism is useful for login forms and other forms where users send secure information. If you choose to accept certificates, your server will ask for a certificate but will not necessarily deny access if the certificate is not provided. If you select “Require client certificates”, the user must supply a valid certificate or the user will receive an error message. By selecting the “Require” option we cover two security issues: only users with a valid client certificate can access the server, the connection is really encrypted; and you know who works with the server (because you can track logged users and their certificates). We also use this SSL type between our servers to protect channels between our applications.

And the last step is Logging.

You should log all important operations, such as authentication events, login attempt count, all operations for writing/editing the date, reading secure data, servers events, etc. If the log system is implemented correctly, it enables us to detect attacks, to diagnose errors and to recover from attacks. I also suggest implementation of a mechanism for hashing log entries, which prevents our system from changing logs.

In this article we have reviewed some mechanisms for designing a secure application. If you use this rules while developing your application, you will certainly increase security.

Industries and Technology Areas:

Industries: finance, banking, investment management, asset management

Technology Areas: software development, ASP.NET, SSL, three-layer architecture, https


Top Questions and Answers about CRM

Growing businesses are looking for a better way to manage customer relations. Understanding that the idea to store their information in note cards or Google documents is a bit old-fashioned, they are wondering, what is CRM, how it works and how it can help their businesses. These questions are hardly...

QR Code Solution for Mobile Devices

Business Needs High level of competition in business creates needs to provide as much services as possible for less money. Companies try to inform clients as much as possible about the opportunities and competitive advantages. Large spaces of printed surfaces are used to show the content marketing information. The tendency…

Node.js: pros and cons

Bringing Node.js into your project: pros and cons

Introduction “Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices.” This is what official Node.js website tells us, and this...
Database Migration Best Practice

How to migrate high-load tables with zero downtime using background jobs and SQL views

Sometimes database migration may become a pain. The tables are large, the load is high, HDD space is expensive and the downtime should be as short as possible. Elinext team has recently investigated the issue within one of our Ruby on Rails projects and managed to offer a flexible data…



Elinext is a custom software development and consulting company focusing on web, mobile, desktop and embedded software development, QA and testing. Since 1997, we have been bringing digital transformation to mid-sized and large enterprises in Banking and Finance, Insurance, Telecommunications, Healthcare and Retail. Our key domains include enterprise software, e-commerce, BI and Big Data, e-learning and IoT.