当前位置:
X-MOL 学术
›
Wirel. Commun. Mob. Comput.
›
论文详情
Our official English website, www.x-mol.net, welcomes your feedback! (Note: you will need to create a separate account there.)
Securing Open Banking with Model-View-Controller Architecture and OWASP
Wireless Communications and Mobile Computing ( IF 2.146 ) Pub Date : 2021-09-21 , DOI: 10.1155/2021/8028073 Deina Kellezi 1 , Christian Boegelund 1 , Weizhi Meng 1
Wireless Communications and Mobile Computing ( IF 2.146 ) Pub Date : 2021-09-21 , DOI: 10.1155/2021/8028073 Deina Kellezi 1 , Christian Boegelund 1 , Weizhi Meng 1
Affiliation
In 2015, the European Union passed the PSD2 regulation, with the aim of transferring ownership of bank accounts to the private person. As a result, Open Banking has become an emerging concept, which provides third-party financial service providers open access to bank APIs, including consumer banking, transaction, and other financial data. However, such openness may also incur many security issues, especially when the data can be exposed by an API to a third party. Focused on this challenge, the primary goal of this work is to develop one innovative web solution to the market. We advocate that the solution should be able to trigger transactions based on goals and actions, allowing users to save up money while encouraging positive habits. In particular, we propose a solution with an architectural model that ensures clear separation of concern and easy integration with Nordea’s (the largest bank in the Nordics) Open Banking APIs (sandbox version), and a technological stack with the microframework Flask, the cloud application platform Heroku, and persistent data storage layer using Postgres. We analyze and map the web application’s security threats and determine whether or not the technological frame can provide suitable security level, based on the OWASP Top 10 threats and threat modelling methodology. The results indicate that many of these security measures are either handled automatically by the components offered by the technical stack or are easily preventable through included packages of the Flask Framework. Our findings can support future developers and industries working with web applications for Open Banking towards improving security by choosing the right frameworks and considering the most important vulnerabilities.
中文翻译:
使用模型-视图-控制器架构和 OWASP 保护开放银行业务
2015 年,欧盟通过了 PSD2 法规,旨在将银行账户的所有权转让给私人。因此,开放银行成为一个新兴概念,它为第三方金融服务提供商提供对银行 API 的开放访问,包括消费者银行、交易和其他金融数据。但是,这种开放性也可能会带来许多安全问题,尤其是当数据可以通过 API 暴露给第三方时。针对这一挑战,这项工作的主要目标是为市场开发一种创新的网络解决方案。我们主张解决方案应该能够根据目标和行动触发交易,让用户在鼓励积极习惯的同时节省资金。特别是,我们提出了一个解决方案,其架构模型可确保关注点明确分离并轻松与 Nordea(北欧最大的银行)开放银行 API(沙盒版)以及微框架 Flask、云应用平台 Heroku 的技术堆栈集成,和使用 Postgres 的持久数据存储层。我们基于 OWASP Top 10 威胁和威胁建模方法分析和映射 Web 应用程序的安全威胁,并确定技术框架是否可以提供合适的安全级别。结果表明,许多这些安全措施要么由技术堆栈提供的组件自动处理,要么通过 Flask 框架的包含包很容易预防。
更新日期:2021-09-22
中文翻译:
使用模型-视图-控制器架构和 OWASP 保护开放银行业务
2015 年,欧盟通过了 PSD2 法规,旨在将银行账户的所有权转让给私人。因此,开放银行成为一个新兴概念,它为第三方金融服务提供商提供对银行 API 的开放访问,包括消费者银行、交易和其他金融数据。但是,这种开放性也可能会带来许多安全问题,尤其是当数据可以通过 API 暴露给第三方时。针对这一挑战,这项工作的主要目标是为市场开发一种创新的网络解决方案。我们主张解决方案应该能够根据目标和行动触发交易,让用户在鼓励积极习惯的同时节省资金。特别是,我们提出了一个解决方案,其架构模型可确保关注点明确分离并轻松与 Nordea(北欧最大的银行)开放银行 API(沙盒版)以及微框架 Flask、云应用平台 Heroku 的技术堆栈集成,和使用 Postgres 的持久数据存储层。我们基于 OWASP Top 10 威胁和威胁建模方法分析和映射 Web 应用程序的安全威胁,并确定技术框架是否可以提供合适的安全级别。结果表明,许多这些安全措施要么由技术堆栈提供的组件自动处理,要么通过 Flask 框架的包含包很容易预防。
京公网安备 11010802027423号