Łukasz Bobrek (lukasz.bobrek@securing.pl)
Financial Applications Features - Security Guidelines (FAFSG) is a set of two FREE checklists created to provide guidelines on the security features which you can implement to make your mobile app more secure. It is meant for continuous development as well as use in current application improvements.
The project is based on the actual state of banking applications, but keep in mind that FAFSG is not a technical standard. It does not cover implementation guildelines and quality of the proposed features. For such guidelines, please refer to OWASP ASVS for web applications and OWASP MASVS for mobile applications.
Objectives
The goal of FAFSG is to help to make security decisions for developers, architects, reviewers and vendors in order to implement essential security features in financial applications. Those features would help to protect users data and increase overall security of the application.
Use cases
You can use the FAFSG checklist in multiple ways:
- As a starting point for application design phase.
- As a measure of application security and maturity.
- As a formal security features list for third parties developing the application for you.
- To point areas which need further development in regards to security.
The entire checklist is in a form similar to OWASP APPLICATION SECURITY VERIFICATION STANDARD v4.0. Every category has a brief description of the control objectives and a list of security features verification requirements.
Key areas that have been included:
Web applications
- V1: Authentication
- V2: Authorization
- V3: Session Management
- V4: Credentials quality
- V5: Payment cards
- V6: Limits
- V7: Notifications
- V8: Contact
Mobile applications
- V1: Authentication
- V2: Authorization
- V3: Session Management
- V4: Credentials Quality
- V5: Payment cards
- V6: Limits
- V7: Notifications
- V8: Contact
- V8: Mobile platform
Contribution ❤️
All kinds of suggestions and requests are highly appreciated! If you want to improve the project in any way - please contact me on Linkedin or Twitter. Also, pull requests are more than welcome!
Special thanks 👏
- jakubkaluzny for a support, review and some ideas for checks
- pkurylowicz for a support and some ideas for checks
- serhanwbahar for first PR with quick fix for broken links
License
This work is licensed under the Creative Commons Attribution-ShareAlike 4.0 International License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/4.0/ or send a letter to Creative Commons, PO Box 1866, Mountain View, CA 94042, USA.