John Trecker Logo Image
John Trecker

Yewno Edge

A SOC 2 certification is a crucial signal to customers and financial partners in any fintech startup. Here's what I did to help secure our access controls and disaster recovery on our payment systems as we launched Yewno Edge.

Project Image

Project Overview

A few years ago Yewno commercialized a knowledge graph developed at Stanford. I had the good fortune to work on the financial application of this technology, a machine learning tool that tracks and measures relationships between entities like companies, products, industries, supply chains, etc. Yewno Edge could deliver insights into indices and portfolios with powerful scope and scale.

Yewno recruited me because I had recently taught a data analytics class at UC Berkeley Extension. They needed data-intensive visualizations for their React web app. That I was happy to do, but strengthening their systems security turned out to have the greater impact on the growing startup.

Security

Yewno's authentication service was well-designed. It used JSON web tokens (JWT) to authenticate and authorize access to our web client. Unfortunately the client web app used to store JWTs in the browser's local storage. That's a big no-no. The rationale was that user IDs contained in the JWTs were needed to make the proper requests to our other services. And besides, I was told we couldn't control what sensative data a user chooses to pass through their browser.

I convinced our head of engineering otherwise. I greped all references to window.localStorage.getItem(...) in our 3rd party packages and found 7. Most were benign but 2 were minified, meaning we couldn't tell what they were accessing. Could have been our JWTs for all we knew. Since JWTs are essentially passwords, we ourselves were exposing them to non-authorized parties, and exposing ourselves to cross-site scripting and request forgery attacks.

I removed this attack vector by replacing user IDs in JWTs with session IDs in encrypted cookies. It cost our web app one more round trip to the server in order to remove user IDs from the client altogether. But that was a trade I was happy to make when the SOC 2 auditor came around.

Payments

I also designed Yewno's payments service with security in mind. Stripe is a pleasure to use, but it doens't solve every issue a payments API has to anticipate. I thoroughly tested fault-tolerance with various client, server, network, and database errors before our product launch. And Murphey of Murphey's Law would have been proud. When a subtle, hard-to-reproduce bug appeared during a live payment it didn't take long to locate the cause. Our payment system was robust enough to handle the hiccup, but it could have easily been a show-stopper without the healthy paranoia of something, somewhere eventually breaking.

Tools Used

Python
Flask
Stripe
Bash
VS Code
JWTs
Cookies
OWASP