How Stash Is Keeping Its Platform Secure Amid the Drive for Integration
- 10.11.2022 02:15 am
Digital financial transactions are rapidly becoming the norm. In the US, some 78 percent of consumers prefer to bank digitally, and financial institutions have to cope with this shift. Not only do they need to offer digital channels, but they must also offer users frictionless experiences.
To deliver on these expectations, app startups and established institutions alike have to embrace fintech infrastructure best practices and find ways to integrate with other services. These integrations are often powered by application programming interfaces (APIs). Through APIs, services can exchange and process data in the background, saving users the trouble of switching between apps or constantly providing information, and allowing fintech platforms to remain the sole touchpoint for transactions.
While this makes things convenient for users, the use of APIs brings security challenges for companies. To authenticate users and machines, APIs require using “secrets,” which include credentials, keys, and certificates. If managed incorrectly, each secret can become a security vulnerability. This should concern fintech ventures, since finance organizations remain among the top cyberattack targets.
Trading and investing platform Stash is one such organization that uses APIs extensively, tapping into services like Mastercard and Stride Bank to enable payments and banking functionalities in its app. To keep these interactions secure, Stash utilizes unified secrets management through its security partner, Akeyless.
Examining how Stash accomplishes this should provide insights to other fintech ventures on how to apply this practice for securing their own integrations.
The Surge of Fintech API Use
In recent years we’ve witnessed a wide scale adoption of APIs. In the pre-API era, connecting disparate systems was tedious and required extensive development work. APIs make it easier for product teams to automate interactions and exchange of data between apps and servers.
Any platform can develop an API to open its services to others. Third-party apps that wish to integrate their services simply need to follow the API's documentation and acquire a secret to gain access to a service’s data and functionalities.
Almost any digital platform that works with financial information and processes transactions uses APIs. For example, ecommerce merchants link their online stores to payment APIs for their checkout mechanisms. Accounting departments use banking APIs to conduct financial transactions and monitor cash flow.
However, the sensitive nature of financial use cases makes security a real focal point in fintech API use. APIs aim to be fully secured, but any system can have weak points, and careless use of secrets can expose vulnerabilities for various reasons.
First is the nature of secrets. They are used to validate access. Should a secret be compromised, malicious actors can gain access to the system it is supposed to safeguard. Second is the sheer number of secrets that are in play. Hundreds of API connections can link various machines, platforms and services in a single organization's infrastructure.
Finally, misconfigurations can happen, which can lead to security flaws. Machines can be given persistent access and elevated privileges inadvertently. Certificates used by servers can be left to expire, effectively killing integrations. Developers who don’t know better might even hard-code secrets into their apps, allowing malicious actors to discover and exploit them.
Secrets, naturally, bear the risk of being compromised, and the danger expands in situations where product teams focus on a high volume of rapid rollouts.
“As you grow your software development team, your engineering teams, more and more secrets are going to come into play,” explains Stash CISO Gavin Grisamore, speaking to the need for secrets management in fintech app development. “It allows us to scale and grow the engineering team more efficiently. We have hundreds of engineers, and we need to produce product quickly.”
How Stash Applies Secrets Management
APIs are at the center of Stash’s operation. Not only does the app have to integrate with other financial services, but it also uses various tools and services for its internal development.
Despite its numerous integrations and rapid development cycles, Stash has been able to keep its platform secure through its partnership with Akeyless. Using the platform, Stash has centralized its use of credentials, keys, and certificates, managing its comprehensive inventory through a unified vault. The secrets are secured by a patented encryption technology called Distributed Fragments Cryptography (DFC) that makes it virtually impossible for anyone aside from Stash to see the data, staying true to Zero Trust cybersecurity standards.
Akeyless's privileged access capabilities make it easy to implement just-in-time security. API access is generated on-demand and with only the privileges needed by a user or machine to perform a specified task. Access is set to expire automatically once the task has been completed. This ensures that no standing access is left active for too long to be compromised. Through these mechanisms, Stash has been able to streamline its operations and prevent issues like misconfigurations.
By adopting a unified secrets management, Stash is able to secure its integrations and allow its users a highly secure experience. Recently, the company launched Stash Core, a new infrastructure platform that allows Stash to expand into other financial services like card services, savings, and lending by integrating with services like Marqeta, Mambu, and Alloy. Such an expansion would have been hard to implement securely without centralizing and automating the issuing of credentials and access management.
Integrations Are the Future
APIs are set to remain a vital aspect of the financial ecosystem in the foreseeable future. By leveraging interoperability, fintech ventures can enrich their products and services.
Exploring partnerships with other service providers can help ventures create more useful use cases that deliver better value to customers. As such, fintech platforms should expect to deal with more integrations moving forward.
But to manage this, fintech platforms would do well adopting the necessary measures to secure how they use APIs. Doing so will enable them to explore more features without worrying about secrets becoming vulnerabilities.