loyalBe replaces dumb paper loyalty cards with a single smartphone application. Due to our frictionless technology, we don't require consumers to take out their phone at the Point of Sale to earn rewards. They simply pay with their linked bank card and receive rewards seamlessly.

-www.loyalbe.io

Seeking to undertake a deep investigation of its cloud environment through AWS, and web and mobile apps, LoyalBe tasked Vertical Structure with penetration testing.

“We needed robust cloud scanning, to ensure we were complying with requirements of how an AWS application should look,” says Cormac Quinn, founder of LoyalBe. “We wanted the highest standard of testing.”

That included LoyalBe’s:

1. Backend API
2. iOS app
3. Android app
4. Web customer portal

In addition to penetration testing, Vertical Structure also helped LoyalBe undertake an information security gap analysis – which helped LoyalBe to obtain Cyber Essentials certification.

Simon Whittaker, co-founder and cyber security director of Vertical Structure, says: “After testing, it was clear that security had been at the top of LoyalBe’s agenda, in designing and building the app.”

LoyalBe is a pioneer in a growing fin-tech industry that uses open banking APIs. In LoyalBe’s case, the API connects not just to customer details like name and address, it also connects to transactional data – meaning that security is absolutely paramount.

“Sometimes people assume that if you’re a startup, it means you’re not taking security very seriously. That was the exact opposite of my mentality,” says Cormac. “It takes so long to build consumer trust, and rightly so. For LoyalBe to succeed, we needed to be absolutely sure of our security credentials.

“We selected Vertical Structure because they have proven, certified experience of working in the cloud. It was paramount to have an external third party – that’s their bread and butter. It gives us confidence when they say, ‘You’ve built a good system with some brilliant defences’.”

What is security by design?

There were several things that LoyalBe took into consideration when designing the app:

• Architecture – The architecture was reviewed on an ongoing basis by security consultants as it was being built
• Features – every time a new feature is added, LoyalBe makes sure there are limited or no vectors for attack
• Different access levels – The lowest level privileges are given as default, and users are only given the privileges they need
• Regular security testing – Testing is never done; it’s viewed as a continual process
• Security first – People talk about “Moving fast and breaking things.” LoyalBe’s motto is: “Move fast and secure things”
• When first getting started, set up an account as an administrator account – but also immediately open another account with lower access privileges. “For example, an account that can access S3 buckets only.”

The unique security needs of an AWS infrastructure

In Cormac’s opinion, AWS suits their needs the better than other cloud service providers. He said that LoyalBe uses Amazon’s managed services, benefitting from all the security updates that are pushed by AWS.

However, the Shared Responsibility Model still stipulates that providers need to look after their own security testing and maintenance – not everything is on the part of the cloud services provider.

Pitfalls to avoid in building a secure app

Cormac has some tips for others creating a secure application. “You can leave things open without meaning to – the default isn’t always to lock everything down. This is something to watch,” he advises.

“It’s so important to understand what you’re doing. That’s why I always tapped up consultants from outside, such as Vertical Structure, to help.

He points out one specific security pitfall in AWS:

Simon Whittaker explains this further: “In the past, some of the defaults applied by cloud providers, including AWS, were less secure than they should be. AWS works hard to make changes to improve security, but anyone who set up services in AWS should double check this. In general, just because something is in the cloud, doesn’t mean that it’s 100% secure.”

“We always help companies to work with the AWS Shared Responsibility Framework – this helps them understand the difference between security of the cloud and security in the cloud.”

Cormac concludes: “We had a great experience with Vertical Structure and would definitely recommend Simon and his team to any startup.”

Where to educate yourself

AWS has produced some helpful documentation, including its Well-Architected Framework whitepaper. It gives best practices, and describes the steps to get there.

Visit this page on our website to learn more about security penetration testing.