Building ironclad data security for M&A solution leader
In the mergers and acquisitions (M&A) world, everything at the desk must be clear and secure across the entire deal process. That is why [REDACTED], a leading SaaS provider for the M&A industry, chose Cossack Labs for their ironclad data security.
[REDACTED] has a half-century history and sets a world-class standard for market leaders in deal data management. They used their extensive experience to revolutionize the M&A lifecycle with data security in mind.
Industry
M&A SaaS provider
VDR
Technology stack
iOS, Android native mobile apps
React Native apps
Azure cloud
Regulations
CCPA, GDPR
Internal security policies
Encryption Export
Regulations
Challenges
Building state-of-the-art VDR security for online document storage and integrating it seamlessly into mobile apps.
The Customer has a rich virtual data room (VDR) service, which works as secure online storage for processing M&A documents and interacting with legal teams. Pioneering the trend of critical exchanges getting virtual and moving to the cloud, they created web and mobile applications to work with documents from anywhere in the world.
Adding a new application that works with sensitive data means adding new threat vectors and expanding attack surfaces. The Customer's team was looking for security engineers that could help build state-of-the-art document security and integrate it seamlessly into mobile apps, so they reached out to Cossack Labs.
Technology requirements
Mitigate mobile-specific threats
As mobile apps introduce new attack vectors, implemented security measures should successfully mitigate them and instil confidence in online deals for Customers' users.
Follow constantly changing mobile security guidelines
Mobile apps security controls should be in line with industry practice, be easy to maintain and update in the changing threat landscape.
Security that doesn't ruin UI/UX
Security measures should not break user experience for legitimate users, but render applications unusable for potentially malicious users.
Our approach
Prevent data leakage without affecting legitimate users
From the Customer's business perspective, the security goals were to prevent leakage and tampering of customer's sensitive data (documents, PII), unauthorized document access, and getting unauthorized party access to functionality and accounts.
At the same time, from the Customer clients' perspective, the security measures shouldn't interrupt access to the documents while providing appropriately managed access to their sensitive data.
We had to cover challenges from both sides.
Improve security release-to-release
Understanding their risk posture and UX requirements, we were introducing security measures one by one, firmly improving the application month-by-month.
Solution
We have shaped the SSDLC process, built numerous mobile-specific security controls, and aligned mobile app security with corporate security.
- Based on risks and threats assessment, we aligned mobile apps security strategy with the Customer's Security Strategy and Information Security Policy.
- We have set up a stable SSDLC process during which we built data security layer and security defences against reverse-engineering. We assisted in protecting API and fixing vulnerabilities, provided ongoing security verification, tutored developers, and much more.
- Under our security guidance, the development team worked together with us on designing, implementing product features with security in mind, and security features with UX in mind.
- For extended data protection, we designed and implemented a cryptographic layer based on the free open-source cryptographic library Themis that provides a single API across programming languages while hiding cryptographic details under the hood.
- Aside from the relevant privacy, healthcare, and corporate regulations, the following security standards were applied: OWASP MASVS 1.3 L2, Apple platform security, Android app security best practices, US Encryption Export Regulations.
Additional relevant materials
Julia Mezher explains the secure architecture process and how to get developers engaged in SSDLC. The talk was presented at the Craft Conference.
Products and services involved
Themis, a cross-platform crypto library
Themis is a cross-platform high-level open-source cryptographic library. We used Themis as a building block for cryptographic protocol, focusing on the data flow and performance while having cryptography covered.
Read moreThemis, a cross-platform crypto libraryMobile app security
We've designed & implemented numerous platform-specific security controls for mobile apps, including reverse-engineering protections and mobile device attestation, and the cryptographic layer for sensitive data protection.
Read moreMobile app securitySecurity advisory
We've built risk, threat and trust models, analysed and prioritised attack vectors, planned security controls and assisted with implementation and verification of controls.
Read moreSecurity advisorySecurity engineering
We've recommended improvements in backend API security and aligned security measures across platforms.
Read moreSecurity engineeringBenefits
Cossack Labs' solution allowed the Customer to flexibly manage their development and business needs while maintaining a high-security posture: adding and removing features; changing technological stack from native platforms (iOS, Android) to React Native platform; changing backend authentication technologies and API frameworks, while being sure that mobile app security stays on a high level and incorporates these changes.
Results and outcomes
During several years of engagement, and multiple rewrites of the app itself, we have set up a stable SSDLC process during which we built many mobile-specific security controls, data security layer, security defences against reverse-engineering, assisted in protecting API and fixing vulnerabilities, provided ongoing security verification, tutored developers, and much more.
For extended data protection, we designed and implemented a cryptographic layer based on the free open-source cryptographic library Themis that provides a single API across programming languages while hiding cryptographic details under the hood.
Improve your system security using our solutions
We help you focus on serving your customers better, while relieving your team from security engineering pains and making your users confident that their data is safe with you.