Technical Discovery and Analysis of a Fintech Platform
Lineate partnered with Crescendo, a global asset management investment firm, to conduct a technical assessment of an investment opportunity: a fintech company specializing in logistics and supply chain. The scope of our analysis involved evaluating the software architecture, infrastructure, and code quality of the fintech web platform, with a strong emphasis on security.
- Cloud and Application Security
- Cloud and Application Security
Crescendo was on the verge of making a major investment in a fintech company but needed a technical audit to identify any risks, particularly in terms of software architecture, infrastructure, and security. Crescendo lacked the internal technical staff for this task, which prompted them to collaborate with us to conduct the analysis.
Approach and Solution
During our analysis, we thoroughly examined six key areas: infrastructure, software architecture, code quality, data structure, client API, and continuous integration and deployment. To present our findings in a clear and accessible manner, we grouped them into three distinct categories:
- Positive feedback - Findings that serve as recognition of areas where the system or processes are already performing well and meet recommended standards
Need attention - Areas that have room for improvement but are not considered critical issues
- Critical issue - High priority issues that pose significant risks or impact the system's stability, security, or functionality, and which need immediate attention
At Lineate, we prioritize security as a standard practice, and our thorough analysis uncovered several critical issues that required attention. Our high-level concerns included the following:
Coexistence of production and lower environments on the same infrastructure and without proper security boundaries
Lack of security audit tools within the continuous integration pipeline
Outdated software dependencies
More specifically, we identified the following issues:
Production secrets in code repositories were being hardcoded without encryption
The identity server had reached the end-of-life (EOL) stage
In addition to our analysis, we used Snyk to conduct a security scan of the project code repositories.
The scan reports included vulnerability breakdowns by code repository, level of severity, and links to the affected files. To ensure ongoing security and minimize the risk of introducing new vulnerabilities, we recommended integrating vulnerability testing as part of the code-build pipeline. There are several paid and open source solutions we use to perform code dependency checks, container image checks, and static analysis. Among these solutions are Snyk, Veracode, Twistlock, SonarQube, Dependency-Track, OWASP Dependency-Check, Anchor, and Trivy. We recommend including solutions like these in any build process.
In response to these and other findings, we devised a set of actionable recommendations to effectively address each issue.
High-level recommendations that align with our standard best practices:
Establish separate private networks and dedicated compute resources for production and lower environments.
Incorporate security audits into the continuous integration pipeline so that vulnerable code is prevented from being deployed.
Institute dependency management practices.
Other specific recommendations:
Consider enforcing the use of TLS 1.2 instead of more vulnerable versions, like TLS 1.0 and TLS 1.1, to ensure secure communication.
Restrict access to application database servers within the internal network to mitigate the risk of brute-force attacks.
Use secure vaults for secret management and regularly rotate secrets to minimize the impact of potential breaches.
Implement CSRF token validation for relevant APIs to prevent request forgery attacks.
Pin existing versions of all dependencies to ensure that known vulnerabilities are not inadvertently introduced into newer versions.
Enhance form input validation by constraining input to the application domain to prevent malicious input from compromising the system's security.
During our analysis, we thoroughly examined various aspects of the platform and identified several noteworthy findings.
On the software architecture side, we discovered that the platform was designed in a way that requires a separate environment for each customer integration. This design choice was made to accommodate the unique nature of integrations for each partner, ensuring data isolation and integration specificity. However, in this type of design, as the number of customers grows, the maintenance of these separate environments becomes increasingly challenging. Unless these integrations were meant to result in completely different business workflows and user experiences, we strongly recommended unifying the architecture and software design to embrace multi-tenancy.
Furthermore, our analysis explored infrastructure costs, where we discovered instances of unused or oversized resources. This finding presented an opportunity for potential savings through optimizing resource allocation and eliminating unnecessary expenses.
Regarding performance and scalability, we observed that services were distributed across different regions. To enhance efficiency and reduce network latencies between services, we recommended consolidating workloads and resources within the same region. This approach would contribute to improved performance and scalability across the platform.
In the production environment, we noticed that the cluster was running on a single node. While this configuration may be acceptable for lower environments, it is crucial for production environments to have enough nodes to ensure high availability. We recommended starting with at least three nodes to facilitate leader selection in the event of machine or zone failures.
The platform runs on Azure. The backend is written using C# .NET. The frontend is a mix of angular 8 for the admin portal, and Typescript and React 16 for the customer self-serving SaaS platform. The backend consists of several services and workers that process tasks such as sending emails, dunning, and payment processing. Services are managed and provisioned via Phoesion Glow, a .NET cloud abstraction and service orchestration platform.
Based on the analysis conducted, the project yielded positive findings that resulted in an overall positive recommendation for the platform, with the caveat that certain critical areas require attention and should be addressed. The engagement was successfully concluded within the designated four-week time frame, and a final report was released. As a result, Crescendo was able to proceed with confidence in their investment decision.