API Security for Canadian and APAC Banks

The Company

Nomis Solutions, United States

The Project

Banks consume the APIs provided by Nomis to provide personalized rates for personal lending, deposits and residential mortgage to their customers. Nomis was looking for a robust security solution to reduce the probability of unauthorized users accessing those APIs and preventing any attacks.

Tech Stack
  • JSON Web Token (JWT)

  • Security Assertion Markup Language (SAML)

  • Node.js

  • MongoDB

  • API Design and Development

The Goals
  • Enhance API security with an ability to test and deploy faster.

  • Fix the existing security vulnerabilities related to Access Control, Missing Error Handling, Data Exposure on browser console, Plaintext password and others.

  • Implement SAML integration to standardise authentication of Bank employees across multiple Service Providers.

  • Lead the team of engineers, train them, perform code reviews and federate the knowledge on Web Application security.

The Approach
  • Introduce and implemented JSON Web Token (JWT) to authenticate APIs exposed to the Banks.

  • Implemented authentication via SAML integration(Security Assertion Markup Language) and configured Deal Manager web application as a Service Provider.

  • Worked with the banks to identify all use cases and the respective workflows for each API.

  • Created learning materials in the form of videos and documentations to build awareness and knowledge on Web Application Security.

  • Worked with an external penetration testing vendor and fixed the bugs to prevent the exposure of data via browser console, errors logging sensitive information, introducing role based access to the application, added restrictive MongoDB queries to prevent access to the data.

The Results
  • Introduce and implemented JSON Web Token (JWT) to authenticate APIs exposed to the Banks.

  • Bank renewed the contract for next 3 years which resulted in revenue increase for the company.

Team Structure

This was about 80% - 90% remote team based out of different countries

New Zealand -> 1 Product Head, 2 Solution Consultants

Canada -> 1 Product Manager, 2 Engineers

United States -> VP Engineering, 2 QA and 1 Engineer