Security is an important but often neglected issue for early stage startups. Resources are frequently tied up in development, iterations, marketing and growth, rather than building a secure infrastructure.
Placing a low priority on security issues is especially concerning where money is involved. As a FinTech platform, you must convince your customers, your partners, banks and regulators that your platform is secure.
Over the next few blog posts I’ll be sharing some security insights that I’ve learned over the years, with an emphasis on FinTech platform specific issues.
Before I begin, we all need to accept an unfortunate truth: No one can guarantee 100% security. An example of this is the recent DDOS attack on Dyn. Major websites like Spotify, Netflix and Github were brought to their knees by an attack on one of their service providers. Unless you’ve built everything in house, from servers to DNS, and you don’t use any external services or infrastructure, you’re vulnerable.
That being said, we can and should focus on the things we can control, namely: our code and configurations. For everything else, we’ll just have to trust that we’ve done our best in selecting the most secure service provider possible.
Everything I know about security boils down to two things:
- Don’t trust user input
- Make sure everything is properly configured (and updated!)
Don't Trust User Input
Really, though. Don’t trust user input. You never know who is on the other side. It could be a valid user, but it could also be a highly trained HTTP magician who can extract sensitive information or inject anything into request headers.
Every few years, OWASP (Open Web Application Security Project) releases a list of the 10 Most Critical Web Application Security Risks. If you’re not familiar with OWASP, they’re an online community of the most talented good guys involved in security. An updated is slated for 2017 so let's go over the most current list which was released in 2013:
A1 - Injection
A2 - Broken Authentication and Session Management
A3 - Cross-Site Scripting (XSS0
A4 - Insecure Direct Object References
A5 - Security Misconfiguration
A6 - Sensitive Data Exposure
A7 - Missing Function Level Access Control
A8 - Cross-Site Request Forgery (CSRF)
A9 - Using Components with Known Vulnerabilities
A10 - Unvalidated Redirects and Forwards
Did you notice that seven of these top ten vulnerabilities can be exploited by a user’s malicious inputs alone?! These include Injection, Broken Authentication and session management, XSS, IDOR, Missing functional level access control, CSRF and unvalidated redirects.
You don’t have to reinvent the wheel when implementing input validation. Frameworks like Django or RoR come with built in tools to mitigate your risk. Simply fire off a few of their functions and you’re off to a good start.
Make sure everything is properly configured (and updated!)
In addition to validating user information, ensuring proper configurations and updating existing software is just as important as writing secure code. This brings us to the last three of the OWASP Top-10 list: ‘Security misconfiguration’, ‘Sensitive data exposure’ and ‘Using components with known vulnerabilities’.
If exposing your server versions and names (in response headers or 404 pages) doesn’t sound like a security issue, do a google search for “Metasploit Framework”. There are tons of CVE (Common Vulnerabilities and Exposures) publicly available.
At Synapse we provide free security audits for OWASP Top-10 as part of our on boarding process for new platforms and while maintaining existing customer accounts. We do this because it’s the right thing to do -- not only for your platform, but also for the protection of end-user data. While this does not guarantee 100% security, it does prevent many commonly identified security vulnerabilities. If you are one of our customers and have questions about your security audit, don’t hesitate to reach out to us.
1. OWASP Top 10: https://www.owasp.org/index.php/Top_10_2013-Top_10
2. 2016 Dyn cyberattack: https://en.wikipedia.org/wiki/2016_Dyn_cyberattack
3. CVE: https://en.wikipedia.org/wiki/2016_Dyn_cyberattack
4. PHP security: http://php.net/manual/en/security.php
5. Django security: https://docs.djangoproject.com/en/1.10/topics/security/