N26 Security 3.0

InsideN26
InsideN26
May 27 · 4 min read

Security had a bumpy first few years here at N26. In late 2016, a weakness in our API and mobile apps was exposed. None of our customers were affected because we fixed the underlying issues before the problem was made public.

We took this exposure as a chance for N26 to rethink our security strategy and revamped our InfoSec program.

Developing the N26 security culture

Today, N26 has a team of dedicated security engineers and specialists running several programs and initiatives to grow the security culture at N26. Here are a few:

Security Champions

Each of our development teams nominates a Security Champion, who acts as our primary interface between product development and the Security Team, and receives continuous training on relevant security issues.

Threat modeling

Whenever we start development on a new feature or microservice, we perform several threat modeling sessions to identify potential threats from a hypothetical attacker’s point of view. This session involves the Security Champion, all developers and a security engineer.

Meet the Community

Various teams at N26 host meetups and networking events almost every week and you are most welcome to join us! Our Security Team launched the Berlin installment of Sectalks, featuring a talk followed by a CTF challenge every month at N26’s Berlin headquarters.

Built-in security

Beside improving the culture, we also continuously harden our software and infrastructure stack. The Security Team implements a range of tools and processes to detect security events and weaknesses. We have to cover many layers for a complex company like N26.

Web Security

Our web infrastructure is a publicly exposed endpoint. We work closely with our web developers on hardening our setup, so we can provide our customers with a safe experience. In the last year, for example, we implemented HSTS, and we also continuously harden our TLS ciphers. We have also put front end encryption in place on most of our websites, adding a layer of security and safety for our customers. Currently, we are working on deploying a better Content Security Policy to add yet another layer of protection.

Backend Security

We automated the monitoring of our software supply chain for vulnerabilities, and run scans in our own network to detect weaknesses. Our security engineers have developed a service to automate the fuzzing of our API endpoints and these tests are now part of our CI/CD pipeline.

Our TCP/IP traffic is protected by a DDoS shield provider, and we run an extensive monitoring setup to detect anomalies in our traffic. In addition, we optimize every layer of our API to better detect suspicious events and protect us from people trying to abuse our services.

Security Engineering

We are developers and engineers at heart, so developing security products is a prime focus of our security team. The goals of our development efforts include topics like client hardening, log analysis and our automated account management system.

You may have heard of the Google project BeyondCorp — part of our team is currently working to deploy client certificates on our employees’ computers at scale and in a secure way, using protocols such as SCEP.

Growth with specialization

The N26 customer base is growing and we are expanding globally. Our employee numbers are also dramatically increasing. Our Security Team is taking on the challenge of becoming a global company by specializing around 4 subteams:

Product Security

This team of engineers is focusing on improving the security of our products. ProdSec is working closely with all our development teams. Engineers in this team lead the Security Champion program and threat modelling, they design secure applications, review code and run penetration tests. ProSec is a security enabler for our product development.

Infrastructure Security

Our infrastructure security engineers (a.k.a. our blue team) are developers with a strong security background. This team is continuously improving the security of our N26 platform. InfraSec is architecting and developing solutions that advance security monitoring & controls, such as self-service permissioning services, access control systems, intrusion detection systems, etc.

Security Risk Management

As a financial institute, we can’t outsource risk. Therefore, we always assess the risk of using a tool or working with an external partner. We investigate the technical and organizational processes, software and partners — and document the category of data we share. With our most critical partners, we even conduct on-site visits to investigate how they run their business in detail.

Different markets have different legal requirements. We at N26 want to work on a global security, compliance and policy framework.

Trust and Safety

Engineers in this team are the investigators and emergency responders of N26. We’re building ad hoc task groups with specialists from relevant N26 teams to investigate and mitigate cybersecurity incidents. We use the learnings of the Trust and Safety team to improve our setup and inform our customers. Investigations of big data sets and mountains of logs are just as important for this team as clear communication skills and the ability to build partnerships across business lines.


Want to become part of our Security Teams?

Try to capture some flags below and check out our Security job openings.

Want to test your #security skills? Start our N26 Security Challenge above by scanning the QR code and try to get until the end. You will have the chance to join our Security Teams!

InsideN26

InsideN26

Written by

InsideN26

Stories from our Team

InsideN26

InsideN26

It takes people of all makeups to create a bank that adapts to the needs of millions. That's why we mix data, intuition, and heart. To build a powerful tool, to make life that much easier. We're some of the best at what we do. And want you to be too.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade