Introduction
When it comes to fintech, security is not simply a box you tick; rather, it is the backbone of your company. Trust becomes your most critical commodity since your product deals with one of two things – money or identity. This is what makes Appricotsoft (a mature software development company in the fintech industry) focus on implementing security as part of the design of their product from line one of its code as opposed to treating it as an afterthought.
Whether you build mobile banking apps, create digital wallets, or connect payment gateways, security must be continuous, rather than reactive. This article outlines the steps of a Secure Software Development Lifecycle (Secure SDLC) tailored for FinTech, including how to implement threat modeling, conduct code reviews, perform automated scans, manage secrets, and prepare for an incident without causing panic.
Why an SDLC is Important in Fintech
Fintech companies are often targets for hackers. APIs can expose sensitive or PII data; user credentials need to be properly secured; and regulatory compliance, such as PSD2, PCI-DSS, and GDPR, requires incredibly strict standards.
The benefits of a Secure SDLC are:
- You will build security into your application from start to finish instead of adding it later;
- You won’t incur any cost due to reworking the application because of security issues or worst yet/privacy violations;
- You can satisfy compliance and audit requirements while still being able to release your product quickly;
- You can create trust and confidence between your users, partners, and investors.
Investing in Secure SDLC: What Are Secure Development Life Cycles?
Appricotsoft uses Unison Framework which is an AI-first framework that prioritizes product discipline, transparency, and practical security from front-to-back.
1. Early Threat Modeling (Align + Plan Phases)
Before coding anything, we perform threat modeling for possible attack vectors against our app and also develop a threat model with the following steps:
- Determine what data will be stored, and if access controls will be enforced on that data.
- Determine what will happen if someone tries to manipulate a transaction, e.g., using a fake request to gain access to payment information.
Through threat modeling, we can:
- Understand our critical assets (payment details and KYC data).
- Document the flow of information and possible compromise points.
- Prepare our initial mitigations by identifying what options will be used to mitigate the potential attack (e.g., encryption, rate-limiting, API access controls, etc.).
Tools utilized during the early phases of development include the STRIDE threat modeling framework, threat modeling whiteboards, stakeholder risk assessment sessions, and collaborative risk assessment.
2. Code Reviews and PR Protocols (Build Phase)
Appricotsoft developers utilize AI to assist with speeding up development by suggesting code templates or quickly identifying low-hanging fruit. However, there are strict code review processes for all AI-generated code (i.e., all AI-generated code will be reviewed by a human).
At the time of a developer making a request for code merge, their code will go through the following process:
- A senior developer will perform the first manual review of their code,
- The developer’s code will be checked against a checklist of secure coding practices (e.g., no hardcoded secrets, correct serialization practices, etc.),
- The developer’s code will not be merged without dual approval.
The tools utilized in the code review process throughout the build phase include Github + Code Owners, and static checklists. If requested, deeper inspections may be performed by the use of SonarQube.
3. Automated SAST and DAST (Build + Validate)
SAST looks for security vulnerabilities like SQL injection or XSS code vulnerabilities when coding, while DAST automatically scans staging environments for security vulnerabilities that an attacker may exploit.
Integrating these scans into the CI/CD pipeline ensures:
- Real-time identification of vulnerabilities
- Developers can repair vulnerabilities prior to putting code into the production environment.
- Making security part of the build, rather than a rate-limiting factor in building.
Some popular options: Snyk, SonarCloud, OWASP ZAP, GitHub Code Scanning.
4. Dependency Scan/Supply Chain Security
Many fintech applications utilize third-party libraries to help develop the application. These third-party libraries present risk as a compromised library has the potential to expose the platform even when code has no security issues.
This is why we:
- Use automatic tools for scanning libraries (e.g. Dependabot or Snyk)
- Maintain an approved library list
- Automatically block any new libraries that are added via merge requests unless they are in the approved library list
Dependencies are particularly important to address when building mobile banking applications that use open-source components or when integrating with payment gateways.
5. Securely Managing Secrets
If you have been storing your API keys in a .env file and committing them to Git, this is no longer a good practice.
We have moved away from this by leveraging the following:
- Environment contextual secret vaults (for example, AWS Secrets Manager or HashiCorp Vault)
- Never enter secrets into your code, ever!!
- Add pre-commit hooks to prevent accidentally leaking secrets from your development environment
By following these practices, you will limit the number of attack vectors that exist, especially in CI/CD environments.
6. Performing Penetration Tests Prior to Launch (During the Validation Phase)
Penetration testing is done to simulate real-world attacks against your environment and help provide you confidence when you launch your application. At Appricotsoft, we:
- Will complete white/black box penetration tests
- Penetration test on authentication, session handling, payment flows and API security
- Utilize third-party penetration testing partners to provide an independent penetration test result
After we conduct our penetration tests we will not hold up any upcoming releases, instead, we will review the test results on an ongoing basis through the duration of our releases and use these results as quality gate reviews.
7. The Decision to Take Action in the Incident Response Playbook (Launch and Grow Phase)
No system is perfect; thus, it is important to respond quickly with clarity. To respond effectively to incidents, our incident response process uses:
- Defined playbooks for common threat types
- An established war room in Slack or Teams
- Pre-defined roles: triage, communication, and resolution
- An established post-mortem process to identify what worked and what did not work, so that we can avoid similar incidents in the future
We are transparent with our clients, knowing that trust is established through transparency.
A Culture of Quality & Security
The security of our code is based not on magic, but rather on a culture of quality, and how we develop our habits will enable us to achieve that core value: make it awesome, own it, and keep it real.
At Appricotsoft, Security starts with our engineering teams’ use of our Unison delivery model is where we have built security into the development process so that it is integrated into the workflow, rather than just given the last mention on the final document. Our AI solutions continue to provide support to each of our developers, although ultimately, our developers are responsible for the outcome of their projects. We have built quality into our overall development lifecycle. Every build that we release has been validated, tested, and is demo-ready; and every developer must always meet our quality standard.
We do not micromanage. We do not delay security until “later.” We do the right thing to ensure security from the very beginning.
Related Reading
Choosing the Right Fintech Partner – What to look for when outsourcing fintech software development.
Audit Before You Pitch – Why technical due diligence can make or break your next funding round.
Final Thoughts: Security as a Competitive Advantage
When accessing a financial service, the greatest value comes from the trust associated with a company’s strong security measures to protect customer data. Increasingly, the importance of security is affecting user’s attitudes. Although not all users talk about security, many users can sense it. As a result, they expect a trustworthy company whenever they deal with a financial institution, and will often choose a competitor based on the perception of a more trustworthy company rather than a competitor.
Appricotsoft is focused on assisting founders and fintech leaders in creating high-quality software that meets both their business needs and their security requirements. If you are developing a product or providing a service that has access to sensitive data, payment processing, or any other form of identity-related service, we would be happy to discuss building your product in a secure, fast, and reliable manner.