Skip to main content

Stashfin Security / IAM / APIs

Security

External + processes

Followed - AAA - Authentication, Authorization and Audit with best practices

  • Cloudflare WAF + fixing all our own APIs that were getting blocked because of using unsafe practices like non-escaped inputs, unsanitized inputs, etc
  • Regular VAPT tests and fixing each vulnerability, scheduled the reports monthly, so in monthly hackathons, whole team can address multiple vulnerabilities in one sitting
  • Regularly and automated rotating all keys
  • Service mesh + Cloudflare for monitoring all APIs and status codes

Internal

  • Added private VPN and blocked all internet traffic coming from outside to internal applications, added openvpn for developers to access internal resources and jump server to access internal compute instances
  • Eventually moved to zero trust access, between applications too, where each application will have it’s own api keys to access another application.
  • Centralized internal IAM for internal users’ applications access using keycloak for devops resources and django-admin for other applications
  • Using groups for permissions and adding users to groups instead of individual permissions
  • Immutable audit logs for all changes
  • No access to production databases
  • Rate limits for ddos protection in open public client APIs

Immutable Logs for Audit

stashfin-immutable-audit-logs

Authorization

stashfin-authorization

Postman implementation and documentation of all APIs

Stashfin Partners API

stashfin-screenshot

stashfin-screenshot

API Testing

stashfin-screenshot

WebView Implementations

WebView inside Apps

  • Customer support
  • Payments
  • New products
    • referral
    • brand ambassador program
    • stashearn

stasfin-screenshot

stashfin-screenshot

stashfin-screenshot