Key security practices – how we ensure security application at Raiffeisen Tech

Here are a few examples of practices and mechanisms we use to ensure that our applications are as secure and resilient to attacks as possible:

• Multi-Factor Authentication (MFA): Implementing MFA adds an additional layer of security, requiring users to provide two or more forms of verification (e.g., a password and a code sent to their phone or a one-time code from a specialized application such as an authenticator). This significantly complicates unauthorized access attempts, as attackers simply do not have access to the extra MFA factor.
• Secure Password Policies: We enforce regularly updated password requirements and periodic changes. Verification mechanisms check the strength of passwords to ensure users create strong, secure passwords that comply with the policy.

• Encryption in Transit: Across all communication layers of the system or application, both public and internal, we use only secure protocols like HTTPS with TLS, SSH, or ECDSA, ensuring that data transmitted between clients, servers, or other system components (e.g., database connections) remains encrypted. This approach helps protect transmitted data from being intercepted by attackers.
• Encryption at Rest: Sensitive data, such as user credentials, payment information, or personal data, should be encrypted at all stages of storage—whether in databases or file systems, temporarily on virtual machines, or in Docker/Kubernetes clusters (volume encryption) and event log services (e.g., Elastic or OpenSearch). This guarantees that even if the data is stolen, it cannot be read without decryption.

• Data Validation: In our- applications, we always check the data provided by users to ensure it meets the requirements—correct format, type, and content. This is especially important for financial or personal data, such as email addresses, phone numbers, account numbers, amounts, and files transmitted before being processed by other system components.
• Sanitization: Input data sanitization is crucial to reducing the risk of attacks like SQL Injection or Cross-Site Scripting (XSS). We use escape mechanisms, converting special characters into their processed equivalents that are not part of any programming language syntax, and employ prepared statements in databases instead of embedding queries directly in the application code.

• Rate Limiting: Implementing rate limiting on API endpoints to prevent brute-force attacks and abuse is one of the basic security techniques we use in our systems. We limit the number of requests a user can send within a given timeframe, protecting not only the application but also databases, networks, and virtual machines from automated attacks.
• Authentication Tokens: During data transmission between system components, we use only secure tokens (such as OAuth or JWT) for API authentication. In the most sensitive areas, these tokens are additionally cryptographically signed, have expiration dates, and are stored securely.

• Vulnerability Scanning: Our resources, applications, and systems are scanned daily with automated tools, allowing us to quickly identify potential weaknesses. This approach helps detect not only vulnerabilities but also common issues such as outdated software versions, libraries, or modules, as well as configuration errors.
• Penetration Testing: Every year, we subject our systems and applications to penetration tests, conducted by top experts in the field. Simulating real-world attacks helps identify security gaps that automated tools might not catch. Of course, we do this to fix potential security issues before attackers can exploit them.

• Secure Default Settings: As part of the hardening process, we verify whether the default settings of software, databases, servers, services, and devices are configured securely. For example, default accounts are disabled, permissions for resources, folders, and files are changed according to the principle of least privilege, and firewall configurations allow only authorized data transmission to our systems.
• Environment Isolation: We always maintain separation between development, testing, and production environments to prevent accidental data exposure and reduce the risk of unauthorized access. This separation is implemented at many levels, such as separate cloud accounts and dedicated resources (e.g., different database instances).

• Regular Updates: All IT assets are regularly updated as part of a- mature process—libraries, modules, frameworks, operating systems, and firmware—to ensure the latest security patches are always applied.
  Vulnerabilities in outdated software are one of the most common cyberattack targets.
• Dependency Management: Using dependency scanning tools (e.g., GitHub Dependabot), we can also identify outdated or vulnerable external dependencies (third-party libraries or modules) in a project, and early detection of these allows us to remove vulnerabilities before they can be exploited in cyberattacks.

By implementing these practices in our application development and IT system maintenance processes, we can create and maintain a safer environment for users, reducing the risk of cyberattacks and security breaches. We view security as a continuous process that evolves alongside the organization, new threats, and technologies.
Building a secure application is not just about data protection but also about ensuring user trust in a world where digital security is key.