Security had a bumpy first few years here at N26. In late 2016, a weakness in our API and mobile apps was exposed. None of our customers were affected because we fixed the underlying issues before the problem was made public.
We took this exposure as a chance for N26 to rethink our security strategy and revamped our InfoSec program.
Developing the N26 security culture
Today, N26 has a team of dedicated security engineers and specialists running several programs and initiatives to grow the security culture at N26. Here are a few:
Each of our development teams nominates a Security Champion, who acts as our primary interface between product development and the Security Team, and receives continuous training on relevant security issues.
Whenever we start development on a new feature or microservice, we perform several threat modeling sessions to identify potential threats from a hypothetical attacker’s point of view. This session involves the Security Champion, all developers and a security engineer.
Meet the Community
Various teams at N26 host meetups and networking events almost every week and you are most welcome to join us! Our Security Team launched the Berlin installment of Sectalks, featuring a talk followed by a CTF challenge every month at N26’s Berlin headquarters.
Beside improving the culture, we also continuously harden our software and infrastructure stack. The Security Team implements a range of tools and processes to detect security events and weaknesses. We have to cover many layers for a complex company like N26.
Our web infrastructure is a publicly exposed endpoint. We work closely with our web developers on hardening our setup, so we can provide our customers with a safe experience. In the last year, for example, we implemented HSTS, and we also continuously harden our TLS ciphers. We have also put front end encryption in place on most of our websites, adding a layer of security and safety for our customers. Currently, we are working on deploying a better Content Security Policy to add yet another layer of protection.
We automated the monitoring of our software supply chain for vulnerabilities, and run scans in our own network to detect weaknesses. Our security engineers have developed a service to automate the fuzzing of our API endpoints and these tests are now part of our CI/CD pipeline.
Our TCP/IP traffic is protected by a DDoS shield provider, and we run an extensive monitoring setup to detect anomalies in our traffic. In addition, we optimize every layer of our API to better detect suspicious events and protect us from people trying to abuse our services.
We are developers and engineers at heart, so developing security products is a prime focus of our security team. The goals of our development efforts include topics like client hardening, log analysis and our automated account management system.
You may have heard of the Google project BeyondCorp — part of our team is currently working to deploy client certificates on our employees’ computers at scale and in a secure way, using protocols such as SCEP.
Growth with specialization
The N26 customer base is growing and we are expanding globally. Our employee numbers are also dramatically increasing. Our Security Team is taking on the challenge of becoming a global company by specializing around 4 subteams:
This team of engineers is focusing on improving the security of our products. ProdSec is working closely with all our development teams. Engineers in this team lead the Security Champion program and threat modelling, they design secure applications, review code and run penetration tests. ProSec is a security enabler for our product development.
Our infrastructure security engineers (a.k.a. our blue team) are developers with a strong security background. This team is continuously improving the security of our N26 platform. InfraSec is architecting and developing solutions that advance security monitoring & controls, such as self-service permissioning services, access control systems, intrusion detection systems, etc.
Security Risk Management
As a financial institute, we can’t outsource risk. Therefore, we always assess the risk of using a tool or working with an external partner. We investigate the technical and organizational processes, software and partners — and document the category of data we share. With our most critical partners, we even conduct on-site visits to investigate how they run their business in detail.
Different markets have different legal requirements. We at N26 want to work on a global security, compliance and policy framework.
Trust and Safety
Engineers in this team are the investigators and emergency responders of N26. We’re building ad hoc task groups with specialists from relevant N26 teams to investigate and mitigate cybersecurity incidents. We use the learnings of the Trust and Safety team to improve our setup and inform our customers. Investigations of big data sets and mountains of logs are just as important for this team as clear communication skills and the ability to build partnerships across business lines.
Want to become part of our Security Teams?
Try to capture some flags below and check out our Security job openings.