# Spike Security

When you're dealing with financial data security is of the utmost concern

Our infrastructure conforms to industry best practices which includes secure https communications (with JWT auth), encrypt at rest data, and all servers are secured within an AWS VPS. This security guide describes our architecture in depth and lists the independent audits which we've passed. It is kept updated whenever we undertake new security measures.

# Independent Security audits

# Mobius Consulting

  • The summary of Mobius' findings were:

    Overall, the SpikeData web applications and API’s were found to have a robust security posture.

# Exocet Securities

  • The summary of Exocet's findings were:

    In our assessment this is a highly secure system with no readily apparent or exploitable security flaws.

  • Remedial action taken by Spike in response to Exocet Security recommendations:

    • Implement 2fa with sshd service
      • we have implemented 2fa on all our EC2 servers
      • this requires a 2fa device to be present in order to ssh into a server
      • see EC2 instance security below for an example ssh session commencement
    • Implement the advised click jacking countermeasure
    • Put measures in place to detect hack attempts and ban IPs
      • we have switched to using Cloudflare in front of all public services (app.spikedata.co.za & api-v6.spikedata.co.za)
      • this provides both optimization benefits (CDN / cacheing) as well as security (threat detection and DDoS protection)
      • the latest Cloudflare report (Feb 2020) is attached

# Spike API VPC design and security

Diagram: Spike Infrastructure Spike Infrastructure

Highlights

  • all traffic from user and client apps to {app, whitelabel, api-v6 }.spikedata.co.za is encrypted (with TLS 1.3)
  • There is only one publicly routable server - the load balancer - all other servers have private VPC addresses
  • The VPC is only accessible from the Spike Office Network.
  • We use IAM policies to control which resources may be accessed by developer accounts
  • The s3 stores are used for temporary storage of pdfs, csvs, and screenshots (web scraping). See private data management below.
  • Cloudwatch is used for logging by all lambda and web services. All requests and responses are sanitized by the Spike Shape System in order to prevent private information (like passwords) from being logged. We use a maximum 1 week retention period on all log streams.

# Private data management

Pdfs which fail to process are collected in the pdf-store for further analysis by Spike developers. We have internal error diagnostics tools that are able to check the error queue without needing direct access to the pdfs. In some cases it possible to dismiss the error (and delete the pdf from the store) without needing further analysis (e.g. when junk pdfs are detected).

Pdfs that expose edge cases in existing parsers as well as new unsupported statements must be downloaded to a development laptop for further fault diagnosis and development. After the pdfs have been resolved they are automatically deleted from developer laptops.

We have developed a sophisticated series of automated unit tests which allows us to support both rapid turnaround time on the deployment of fixes and new parsers as well as preventing errors. All tests must pass before a deployment can proceed.

The lambda-deleter takes care of removing resolved errors from the various S3 stores.

# Spike security best practices

EC2 instance security

  • limit attack surfaces
    • limit publicly accessible services
    • most servers are not publicly accessible
    • we use IP filters to limit access to Spike network IPs (+ VPC IPs)
  • ip security filters
    • disable all ports except ssh & http(s)
  • ssh security
    • use per-developer ssh keys + 2fa
    • example login session: ssh 2fa
  • OS security

RDS & S3 security

  • Spike uses managed services for storage (S3) and databases (AWS Aurora)
  • AWS manages uptime, patching, and security updates of the underlying infrastructure all of which is HIPAA / PCI DSS certified
  • Spike uses AWS IAM to grant individual developers permission to these resources as required

AWS lambda

  • Spike makes extensive use of AWS Lambas
  • Spike lambda functions include pdf parsing, email receipt attachment extraction and parsing, web scraping, as well as various internal cron jobs
  • Lambdas by their nature are short-lived, single invocation services which do not open additional network listening ports
  • Hence these services are not susceptible to remote root compromise attacks
  • AWS Lambda is HIPAA / PCI DSS certified

General node.js software development security

  • Spike makes use of various open source packages available from the npm registry
  • Spike regularly reviews the packages chosen by our developers and makes use of npm audit to keep abreast of security vulnerabilities in the packages which we depend on.
    • our policy is to remove redundant, obsolete, and unmaintained packages - e.g. request has been replaced by axios)
    • we keep dependencies updated to the latest versions except where this causes dependency clashes with dependencies (e.g. chalk 2)
    • we use a mono-repo design so that all devDependencies can be administered from a single location and dependency clashes can be resolved more readily through the use of the yarn.lock file
  • More generally, Spike strives to keep up to date with the ECMA script language changes in order to make use of emerging idiomatic best practices and has ported most codebases to TypeScript to take advantage of the benefits of static typing for managing larger codebase and teams.

Developer machine antivirus

# Resources

Updated: 7/21/2021, 10:50:11 AM

Scalability

Legal
© 2024 Spike