Building ironclad data security for M&A solution leader

Customer overview

In the mergers and acquisitions (M&A) world, everything at the desk must be clear and secure across the entire deal process. That is why [REDACTED], a leading SaaS provider for the M&A industry, chose Cossack Labs for their ironclad data security.

[REDACTED] has a half-century history and sets a world-class standard for market leaders in deal data management. They used their extensive experience to revolutionize the M&A lifecycle with data security in mind.

Industry

  • M&A SaaS provider

  • VDR

Regulations

  • CCPA, GDPR

  • Internal security policies

  • Encryption Export Regulations

Technology stack

  • iOS, Android native mobile apps

  • React Native apps

  • Azure cloud

Challenges

Building state-of-the-art VDR security for online document storage and integrating it seamlessly into mobile apps.

The Customer has a rich virtual data room (VDR) service, which works as secure online storage for processing M&A documents and interacting with legal teams. Pioneering the trend of critical exchanges getting virtual and moving to the cloud, they created web and mobile applications to work with documents from anywhere in the world.

Adding a new application that works with sensitive data means adding new threat vectors and expanding attack surfaces. The Customer’s team was looking for security engineers that could help build state-of-the-art document security and integrate it seamlessly into mobile apps, so they reached out to Cossack Labs.

Technology requirements

As mobile apps introduce new attack vectors, implemented security measures should successfully mitigate them and instil confidence in online deals for Customers’ users.

Mobile apps security controls should be in line with industry practice, be easy to maintain and update in the changing threat landscape.

Security measures should not break user experience for legitimate users, but render applications unusable for potentially malicious users.

Cossack Labs’ approach

From the Customer’s business perspective, the security goals were to prevent leakage and tampering of users’ sensitive data (documents, PII), and getting unauthorized party access to functionality and accounts.

At the same time, from the Customer clients’ perspective, the security measures shouldn't interrupt access to the documents while providing appropriately managed access to their sensitive data.

We had to cover these challenges on both sides.

Bearing in mind their risk posture and UX requirements, we were introducing security measures one by one, firmly improving the application month-by-month.

Cossack Labs' solution

We have shaped SSDLC process, built numerous mobile-specific security controls, and aligned mobile app security with corporate security.


Based on risks and threats assessment, we aligned mobile apps security strategy with the Customer's Security Strategy and Information Security Policy.

We have set up a stable SSDLC process during which we built data security layer and security defences against reverse-engineering. We assisted in protecting API and fixing vulnerabilities, provided ongoing security verification, tutored developers, and much more.

Under our security guidance, the development team worked together with us on designing, implementing product features with security in mind, and security features with UX in mind.

For extended data protection, we designed and implemented a cryptographic layer based on the free open-source cryptographic library Themis that provides a single API across programming languages while hiding cryptographic details under the hood.

Aside from the relevant privacy, healthcare, and corporate regulations, the following security standards were applied: OWASP MASVS 1.2 L2, Apple platform security, Android app security best practices, US Encryption Export Regulations.

Products and services involved

Security advisory

We’ve built risk, threat and trust models, analysed and prioritised attack vectors, planned security controls and assisted with implementation and verification of controls.

Security engineering

We've recommended numerous platform-specific security controls for mobile apps, assisted in improving backend API security, and designing the cryptographic layer for sensitive data protection.

Themis is a cross-platform high-level open-source cryptographic library. We used Themis as a building block for cryptographic protocol, focusing on the data flow and performance while having cryptography covered.

Results and outcomes

Cossack Labs’ solution allowed the Customer to flexibly manage their development and business needs while maintaining a high-security posture: adding and removing features; changing technological stack from native platforms (iOS, Android) to React Native platform; changing backend authentication technologies and API frameworks, while being sure that mobile app security stays on a high level and incorporates these changes.

Improve your system security using our solutions

We help you focus on serving your customers better, while relieving your team from security engineering pains and making your users confident that their data is safe with you.