Security in financial services is a fundamental component of the overall system. Considering the total amount of assets that are managed by a financial institution, the cost of failure in the system’s security is very high.
Improperly designed system architecture as well as insufficient source code and interface security can cause a number of problems in the future:
- Leaks of confidential user data;
- Database hacking;
- Legal issues.
SDK.finance provides high-level security by using the best practices for designing and programming the system components. SDK.finance pays close attention to the security of the following components during the development process:
System architecture security:
- The interaction between clients and server components in the system is protected by a variety of traffic encryption methods (SSL with a 256 bit encryption), data hashing algorithms (SHA-2), data packets signature, and checksums verification.
- Additional methods of customer sensitive data encryption can be activated if necessary (encryption of cardholder data, personal account number, etc.) at the application level.
- Confidential data encryption in databases includes Transparent Data Encryption in Oracle databases. Both software and hardware solutions from the market leaders (Oracle, IBM, Amazon, etc) are used.
- Firewalls, IDS (Intrusion Detection System), and load-balancing are used.
- Software deployment on the PCI-DSS certified cloud hostings provided by the world leader Amazon Web Services (AWS).
- Regular penetration testing imitating hackers.
Source code security:
- Source code Java EE is checked by the security scanner OWASP Lapse+, JUnit tests, a software that controls the code quality SonarQube.
- All transactions and operations in the system pass through risk management (identify suspicious activity), limit management (check operation limits), stop list (suspended accounts), black list (blocked accounts), GeoIP (country restrictions) criteria.
- Third-party security solutions vendors can be integrated if required for transactions scoring (MaxMind, etc).
- Integrate an additional layer of security into the IPA/APK on mobile apps on iOS/Android platforms on request. This layer protects sensitive data against malicious software, operating system vulnerabilities and other types of attack.
- Authorisation in the system can be implemented by using usernames and passwords, X.509 certificates, hardware tokens or OTP (one time password) methods.
- Two-factor authentication.
- Strict delimitation of user access rights to sensitive information in different system roles interfaces.