Matomo

Building ironclad data security for VDR SaaS | Cossack Labs

πŸ‡ΊπŸ‡¦ We stand with Ukraine, and we stand for Ukraine. We offer free assessment and mitigation services to improve Ukrainian companies security resilience.

Cossack Labs
search
List of customer stories
Case M&A solution SaaS 2018 - 2021

Building ironclad data security for M&A solution leader

In the mergers and acquisitions (M&A) world, everything at the desk must be clear and secure across the entire deal process. That is why [REDACTED], a leading SaaS provider for the M&A industry, chose Cossack Labs for their ironclad data security.

[REDACTED] has a half-century history and sets a world-class standard for market leaders in deal data management. They used their extensive experience to revolutionize the M&A lifecycle with data security in mind.

Challenges Technology Our approach Solution Products Benefits Results

Industry

  • M&A SaaS provider

  • VDR

Technology stack

  • iOS, Android native mobile apps

  • React Native apps

  • Azure cloud

Regulations

  • CCPA, GDPR

  • Internal security policies

  • Encryption Export
    Regulations

Challenges

Building state-of-the-art VDR security for online document storage and integrating it seamlessly into mobile apps.

The Customer has a rich virtual data room (VDR) service, which works as secure online storage for processing M&A documents and interacting with legal teams. Pioneering the trend of critical exchanges getting virtual and moving to the cloud, they created web and mobile applications to work with documents from anywhere in the world.

Adding a new application that works with sensitive data means adding new threat vectors and expanding attack surfaces. The Customer's team was looking for security engineers that could help build state-of-the-art document security and integrate it seamlessly into mobile apps, so they reached out to Cossack Labs.

Technology requirements

Mitigate mobile-specific threats

As mobile apps introduce new attack vectors, implemented security measures should successfully mitigate them and instil confidence in online deals for Customers' users.

Follow constantly changing mobile security guidelines

Mobile apps security controls should be in line with industry practice, be easy to maintain and update in the changing threat landscape.

Security that doesn't ruin UI/UX

Security measures should not break user experience for legitimate users, but render applications unusable for potentially malicious users.

Our approach

Prevent data leakage without affecting legitimate users

From the Customer's business perspective, the security goals were to prevent leakage and tampering of customer's sensitive data (documents, PII), unauthorized document access, and getting unauthorized party access to functionality and accounts.

At the same time, from the Customer clients' perspective, the security measures shouldn't interrupt access to the documents while providing appropriately managed access to their sensitive data.

We had to cover challenges from both sides.

Improve security release-to-release

Understanding their risk posture and UX requirements, we were introducing security measures one by one, firmly improving the application month-by-month.

Solution

We have shaped the SSDLC process, built numerous mobile-specific security controls, and aligned mobile app security with corporate security.

  • Based on risks and threats assessment, we aligned mobile apps security strategy with the Customer's Security Strategy and Information Security Policy.
  • We have set up a stable SSDLC process during which we built data security layer and security defences against reverse-engineering. We assisted in protecting API and fixing vulnerabilities, provided ongoing security verification, tutored developers, and much more.
  • Under our security guidance, the development team worked together with us on designing, implementing product features with security in mind, and security features with UX in mind.
  • For extended data protection, we designed and implemented a cryptographic layer based on the free open-source cryptographic library Themis that provides a single API across programming languages while hiding cryptographic details under the hood.
  • Aside from the relevant privacy, healthcare, and corporate regulations, the following security standards were applied: OWASP MASVS 1.3 L2, Apple platform security, Android app security best practices, US Encryption Export Regulations.

Additional relevant materials

Julia Mezher explains the secure architecture process and how to get developers engaged in SSDLC. The talk was presented at the Craft Conference.

Products and services involved

Themis, a cross-platform crypto library

Themis, a cross-platform crypto library

Themis is a cross-platform high-level open-source cryptographic library. We used Themis as a building block for cryptographic protocol, focusing on the data flow and performance while having cryptography covered.

Read moreThemis, a cross-platform crypto library
Mobile app security

Mobile app security

We've designed & implemented numerous platform-specific security controls for mobile apps, including reverse-engineering protections and mobile device attestation, and the cryptographic layer for sensitive data protection.

Read moreMobile app security
Security advisory

Security advisory

We've built risk, threat and trust models, analysed and prioritised attack vectors, planned security controls and assisted with implementation and verification of controls.

Read moreSecurity advisory
Security engineering

Security engineering

We've recommended improvements in backend API security and aligned security measures across platforms.

Read moreSecurity engineering

Benefits

Cossack Labs' solution allowed the Customer to flexibly manage their development and business needs while maintaining a high-security posture: adding and removing features; changing technological stack from native platforms (iOS, Android) to React Native platform; changing backend authentication technologies and API frameworks, while being sure that mobile app security stays on a high level and incorporates these changes.

Results and outcomes

During several years of engagement, and multiple rewrites of the app itself, we have set up a stable SSDLC process during which we built many mobile-specific security controls, data security layer, security defences against reverse-engineering, assisted in protecting API and fixing vulnerabilities, provided ongoing security verification, tutored developers, and much more.

For extended data protection, we designed and implemented a cryptographic layer based on the free open-source cryptographic library Themis that provides a single API across programming languages while hiding cryptographic details under the hood.

Improve your system security using our solutions

We help you focus on serving your customers better, while relieving your team from security engineering pains and making your users confident that their data is safe with you.

Other customer stories

Protecting telemetry data of power grids
Protecting telemetry data of power grids Critical infrastructure

Industrial

Protecting telemetry data of power grids

Protecting data signals transmitted over the air between power distribution stations and central dispatch system.

Read story
All customer stories

Contact us

Get whitepaper

Apply for the position

Our team will review your resume and provide feedback
within 5 business days

Thank you!
We’ve received your request and will respond soon.
Your resume has been sent!
Our team will review your resume and provide feedback
within 5 business days