Solving the Secure SDLC process at Varo

Application Security has dramatically evolved over the last 10 years. In the past, organizations responded reactively to identified security considerations based on their vulnerability and severity level triggering mitigation processes that could take hours, weeks, or even longer. Over time, proactive measures have become available to replace these risky reactive responses. Security, not just feature development, has been incorporated into the Software Development Life Cycle (SDLC) process.

SDLC processes with embedded security considerations generally follow a sequence that repeats with each release cycle:

• Requirement phase: Security requirements / third-party tech evaluation
• Design phase: Threat modeling / Secure Design Review
• Implementation phase: Source Code Analysis and Static Application Penetration Testing
• Testing phase: Penetration Testing

Throughout the evolution of the SDLC, the role of Application Security has grown in importance as the quantity of vulnerabilities and the consequences for leaving them unaddressed have increased. In 2021, the number of reported vulnerabilities worldwide exceeded 20,000 for the first time. All of these trends were top of mind as Varo Bank was conceived with a security-first mentality designed to protect users’ data first and foremost.

Third-Party Evaluations and Internal Software Security Design Review

At Varo, that meant creating a security culture within the organization as well as with all of its external relationships. The current security posture of software development depends on internal teams in an organization and third-party applications. Varo was fortunate to be built in a modern, platform-centric software development environment that used well-tested, proven third-party applications to mitigate banking challenges with a minimalistic approach.

Varo focuses on third-party tech evaluation by gauging the security controls and measures taken by each provider.

Some examples of a third-party tech evaluation involve assessing the following :

• Security controls on authentication
• Security controls on authorization
• Certificate-based authentication feasibility
• Handling of Personally Identifiable Information or Non-Public Information

From a technical standpoint, a team of both Infrastructure and Application security experts is specifically dedicated to perform an evaluation before any contract is signed with a third party entrusted with Varo’s customer data. Legal and privacy experts also evaluate the safety of contracting with various third-party vendors.

Additionally, Varo emphasizes Secure Design Reviews for all the new features that are introduced in every release. This process involves the respective development team and feature owner to discuss when the existing design is being changed or a new design / integration is being introduced. Varo’s Security team evaluates the review based on the STRIDE methodology to make sure any new vulnerabilities that are identified will cause the least amount of reactive efforts when found.

Third-Party Library Dependency Analysis

Apart from vendors, Varo closely evaluates the security of third-party dependencies (such as software libraries). Historically, these create a lot of noise from the security standpoint. Varo’s stack is focused on Kotlin, Node, Python, and Java, each of which has multiple layers of dependencies on third parties. Further, vendors introduce multiple SDKs (Software Development Kits) while implementing necessary features. Without help, this makes it difficult to track dependencies and find secure versions of our Software Bill-of-Materials.

Snyk empowers Varo to solve the challenges faced during the implementation phase of both internal and third-party dependencies. Together, Varo can easily stay updated on any new security findings across all the dependent libraries. Snyk by itself is integrated into multiple security organizations to stay ahead of the security big picture and provides the basis to perform scanning across the entire code base, as well as a dashboard to mitigate the vulnerabilities across the organization at one place. Varo has integrated Snyk in multiple ways.

• Automating project scanning: Integration of Snyk into build pipelines to automate the scanning of each project across the organization.
• Protecting the pipeline: The ability to block the pipeline when severe issues are found in the respective project.
• Identifying new vulnerabilities: Using Snyk CLI, projects are scanned separately on a daily basis to see if there are any new vulnerabilities found in the existing code base and to automatically generate fix tickets for developers.

In the recent past, Snyk has helped Varo to identify and mitigate the Spring4j vulnerability within hours of releasing the original POC. Varo had minimal turn around time for fixing the Critical issues as the pipelines were automatically blocked and developers had to upgrade to the secure version prior to any new changes being deployed into production.

Security Testing

Varo proactively hunts for security vulnerabilities, in addition to the automation we have built into our CI pipelines. Synack aids Varo as a penetration testing platform providing regular human vulnerability detection. Synack performs penetration testing across our entire suite of products 24/7, 365 days per year. When releasing updates frequently, point-in-time testing is less relevant, and a crowd-sourced solution becomes mandatory.

Should any vulnerabilities be found, Synack’s portal provides insights on each identified vulnerability, including how it was found. The security researchers that found the exploitable vulnerability via Synack provides a resolution strategy as well as validating the fixes.

Synack also provides focused security research based on industry best practices. This research checks for specific vulnerabilities or gray areas where a regular researcher may not focus while hunting for new exploits. You can learn more about how Synack helped Varo achieve its goals in a case study, here.

Synack also manages Varo’s Responsible Disclosure process. If you’d like to participate in responsible disclosure of any potential vulnerabilities, learn more here.

We’d also like to say thank you to all researchers that have responsibly disclosed vulnerabilities.

Conclusion

Secure Software Development Lifecycle allows Varo to shift security risks left and address the origin of security risks at the requirements phase instead of having the need to backtrack it from a later stage of development. It establishes focus on security at every phase of the development. Snyk and Synack aid Varo scale from a security standpoint and allow Varo’s internal resources to build security across the platform to strengthen its products and keep its customers safe.