LoyalBe is a Belfast-based start-up that recently created an app which links with your bank account to track purchases. It claims to help eliminate the need to carry loyalty cards for your favourite shops and doesn’t even require your phone.
The start-up tasked cybersecurity consultants Vertical Structure with penetration testing its cloud environment.
Founder of LoyalBe, Cormac Quinn said this “robust cloud scanning” and the “highest standard of testing” was needed “to ensure we were complying with requirements of how an Amazon Web Service (AWS) application should look.”
That included LoyalBe’s backend API, iOS app, Android app and web customer portal.
Vertical Structure also helped LoyalBe undertake an information security gap analysis – which helped the business to obtain Cyber Essentials certification.
Simon Whittaker, co-founder of Vertical Structure said that “security had been at the top of LoyalBe’s agenda.”
RELATED: Belfast-based loyalBe app arranges all your loyalty cards
“Sometimes people assume that if you’re a start-up, it means you’re not taking security very seriously. That was the exact opposite of my mentality,” added Cormac. “It takes so long to build consumer trust, and rightly so. For LoyalBe to succeed, we needed to be absolutely sure of our security credentials.”
When designing and building the app, the company said it took a few main things into consideration. It stated its architecture was reviewed on an on-going basis by security consultants as it was being built, it ensured there were limited or no vectors for attack every time a new feature is added, and security testing is “viewed as a continual process”
In Cormac’s opinion, AWS suits their needs better than other cloud service providers. He said that LoyalBe uses Amazon’s managed services, benefitting from all the security updates that are pushed by AWS.
However, the Shared Responsibility Model still stipulates that providers need to look after their own security testing and maintenance – not everything is on the part of the cloud services provider.
LoyalBe app 2019
RELATED: Belfast-based Vertical Structure unearths serious Lenovo NAS vulnerability
Giving advice to others building a secure application, Cormac said “you can leave things open without meaning to – the default isn’t always to lock everything down. It’s so important to understand what you’re doing. That’s why I always tapped up consultants from outside, such as Vertical Structure, to help.”
He added that when first getting started in AWS, set up an account as an administrator account – but also immediately open another account with lower access privileges – “for example, an account that can access S3 buckets only.”
Simon commented that “AWS works hard to make changes to improve security, but anyone who set up services in AWS should double check security. In general, just because something is in the cloud, that doesn’t mean it’s 100% secure.
RELATED: SMEs and the risks of under-protecting data: A conversation with a barrister
“We always help companies to work with the AWS Shared Responsibility Framework – this helps them understand the difference between security of the cloud and security in the cloud.”
Cormac said his team “had a great experience with Vertical Structure and would definitely recommend Simon and his team to any start-up.”
AWS has produced some helpful documentation on its services, including its Well-Architected Framework whitepaper. It gives best practices, and describes the steps to get there.
