As with any FinTech application, cybersecurity is of paramount importance, especially with the risk of cybercrime on the rise.
We have partnered with Entersoft Information System, one of the best security firms in the region, to help us plan our applications security.
We follow the security guide and protocols put in place by OWASP. This helps us cover the following cybersecurity risks:
Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification, or destruction of all data or performing a business function outside the user's limits.
Source code review is the best method of detecting if applications are vulnerable to injections. Preventing injection requires keeping data separate from commands and queries.
The first thing is to determine the protection needs of data in transit and at rest. For example, passwords, credit card numbers, health records, personal information, and business secrets require extra protection, mainly if that data falls under privacy laws.
Insecure design is a broad category representing different weaknesses, expressed as “missing or ineffective control design.” A secure design can still have implementation defects leading to vulnerabilities that may be exploited.
Without a concerted, repeatable application security configuration process, systems are at a higher risk. Secure installation processes are implemented among other measures.
Ongoing plan for monitoring, triaging, and applying updates or configuration changes for the lifetime of the application or portfolio. A patch management process is implemented.
Confirmation of the user's identity, authentication, and session management is critical to protect against authentication-related attacks. This includes a wide range of measures including implement multi-factor authentication and server-side security.
Software and data integrity failures relate to code and infrastructure that does not protect against integrity violations. To prevent that, mechanisms and processes are implemented to monitor data transit.
This is to help detect, escalate, and respond to active breaches. Without logging and monitoring, breaches cannot be detected. Insufficient logging, detection, monitoring, and active response can occur and are surveyed.
SSRF flaws occur whenever a web application is fetching a remote resource without validating the user-supplied URL. It allows an attacker to coerce the application to send a crafted request to an unexpected destination, even when protected.