Company
Nomis Solutions, San Francisco, United States
Project
Banks consume the APIs provided by Nomis to provide personalized rates for personal lending, deposits and residential mortgage to their customers. Nomis was looking for a robust security solution to prevent unauthorized access to those APIs and be able to prevent web application attacks.
Technology Stack
- JSON Web Token (JWT)
- Security Assertion Markup Language (SAML)
- Node.js
- MongoDB
- API Security, Design and Development
Goals
- Enhance API security with an ability to test and deploy faster.
- Fix the existing security vulnerabilities related to Access Control, missing error handling, data exposure on browser console, Plaintext password and others.
- Implement SAML integration to standardise authentication of Bank employees across multiple Service Providers.
- Lead the team of engineers, train them, perform code reviews and federate the knowledge on web application security.
The Approach
- Introduced and implemented JSON Web Token (JWT) to authenticate APIs exposed to the Banks.
- Implemented authentication via SAML integration(Security Assertion Markup Language) and configured Deal Manager web application as a Service Provider.
- Worked with the banks to identify all use cases and the respective workflows for each API.
- Re-designed and refactored legacy code for bank mortgage feature.
- Created learning materials in the form of videos and detailed design documentations to build awareness within the team on web application security.
- Collaborated with remote teams and performed code reviews for team members.
- Worked with an external penetration testing vendor and fixed the bugs. Prevented the exposure of data via browser console that was logging sensitive information.
- Introduced role based access to the application, and added restrictive MongoDB queries to prevent data attacks.
The Results
- Introduced and implemented a robust security solution for Nomis.
- Two Nomis customers renewed their 3 year contract, that resulted in revenue increase for the company.