Yalantis
Works
Automated cybersecurity ecosystem for an traditional US-based bank

Automated cybersecurity ecosystem

Learn how we developed an automated cybersecurity ecosystem to detect and eliminate software security vulnerabilities for a banking institution that later evolved into a universal cybersecurity solution.

industry

FinTech
Country

USA
team size

6 IT experts
Implementation

3 months

About the client

Our client is a traditional US-based bank that was expanding their online presence to attract more customers. They wanted to implement new functionality and expand the range of financial services available in their customer service software.

Business context

The company hired us to develop new web and mobile banking applications because the old versions were technically unstable. They couldn’t withstand high loads caused by the increasing number of consumer financial transactions.

We assessed the client’s existing applications and found that they were vulnerable to external attacks, putting customers’ personal and financial information at risk. After communicating the issue to the client, they asked us to ensure a secure software development process to:

reduce the number of security vulnerabilities in the new software
prevent data breaches and cyber attacks
reduce post-release expenses on addressing security issues

Solution overview

We established a secure software development lifecycle (S-SDLC). Our security approach evolved into a cybersecurity ecosystem for automated detection and management of software vulnerabilities.

The ecosystem is integrated into the client’s CI/CD pipeline, allowing for automated security control checks. In the event that a vulnerability is identified, the system automatically creates a Jira ticket for further action.
Implementing security controls

Security controls integrated into our S-SDLC allowed us to detect vulnerabilities early and release secure software at the production stage.

Security testing included:
- Static application security testing (SAST)
- Dynamic application security testing (DAST)
- Infrastructure as code (IaC) security scanning
Vulnerability scanning included:
- Detecting unintentional commits of secrets (keys, passwords, tokens, SSNs)
- Dependency scanning
- Docker image scanning
Security audits included:
- Cloud security audits
- Kubernetes (K8s) security audits
Security ecosystem architecture

Our ecosystem architecture included five main elements:

1. Implementation of the CI/CD pipeline

Implementing CI/CD allows our client to optimize costs and upgrade their product’s security layer by incorporating security controls for code merging. This decreases the risk of deploying code with security vulnerabilities.

2. Vulnerability orchestration module on AWS Lambda

We built a security module and deployed it on AWS Lambda to automate the creation of Jira tickets with all necessary information about vulnerabilities, security vulnerabilities analysis and management, as well as notifications.

3. Storage and processing on AWS

After executing a specific job like SAST, the artifacts (output results) are saved in an AWS S3 bucket. This allows us to have a history of files, upload as many files as we need, and separate projects by folders. The results of such scanning are processed by AWS Lambda, which is triggered by the creation event.

4. Jira tickets creation

The created ecosystem supports functionality for creating and managing tickets with a description and location of each vulnerability, its threat level, and tags with a project name and scanner tool.

5. Notifications via Slack

Users get Slack notifications about newly created vulnerabilities and their severity.

Value delivered

Together with our client, we achieved the following results:

Customization. Our solution is easily customizable for any project and industry and can be integrated into diverse business procedures.
Cost-efficiency. Similar out-of-the-box solutions may cost around $100 per developer per month, while our solution doesn’t require any monthly or annual fees. Additionally, it features automated vulnerability detection, an optimized S-SDLC, and expert input for implementing the proper system protection. If a client decides to opt for ready-made software, they would have to pay extra for these services.
Scalability. We chose industry-proven technologies and tools that helped us develop a flexible security ecosystem that can scale in the future and won’t require much additional reconfiguration.