Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Bitcoin Discussion
Re: Bitcoin Stock Exchange Security Standards
by
Chick
on 22/06/2011, 00:51:06 UTC
Quote from: ikonic on June 21, 2011, 02:50:41 AM
Given that BitCoin is still in its infancy, many of the stock exchanges are being run by inexperienced coders or business types with no real online financial experience... and as such, putting the entire community at risk.

Therefore, what I am proposing is that the BitCoin community draft together a set of agreed security standards and best practices that all trusted exchanges should adhere to.

As an example of Web Standards, the basics would be

Web Application Requirements
  • Website to be tested to ensure SQL injections (including truncation attacks) do not exist
  • Website to be tested to ensure XSS injections do not exist
  • Website to be tested to ensure XPATH injections do not exist
  • Website to be tested to ensure CSRF vulnerabilities do not exist
  • All transactional functionality should be undertaken with http post using CSRF nuonces
  • Any and all interaction with the database should done using either Stored or Prepared Procedures

HTTP Response Header Requirements
  • All cookies to have the "HttpOnly" and "Secure" attributes
  • HTTP Headers should not include Server OS version
  • HTTP Headers should not include Web Server version
  • HTTP Headers must include an X-Frame-Options directive

Data Storage and Analysis Requirements
  • All passwords should be stored using one way encryption with a unique salt per user (salt to be a minimum 128bits)
  • Where the need for database analysis is required the data should be purged of all PII prior to be delivered to the auditor
  • Users with permissions to the database should be limited to the web application only

Finally, this list isn't extensive but only a start so it would be good to get others feedback.

btw: Sorry about being stuck in the newb section but alas such is life.

Note: Not here for the MT Gox bashing, it will achieve nothing. Lets talk about the future instead.

Edit:
Another good idea to discuss it the limit that can be transfered daily/hourly.
For instance, setting a maximum dollar amount to transfer out is pointless as you can simply crash the price and pull out. Perhaps a better idea would be to set volume limits instead?

BitCoin Transfer Requirements
  • Maximum Daily Transfer Limit - Currency $1000
  • Maximum Daily Transfer Limit - BitCoins 1000


To sum it all up, BANK LEVEL SECURITY. No bullshit "25 letter passwords".

Take my money and STFU.