Hi, Welcome back to the Tomás the Development Blog where we discuss all things Tomás. In a past post we talked about why we decided to create Tomás the Purrfect Budgeting App, and about our intention to create full Software as a Service out of it.
Well this is the development history of all that was introduced so we can offer this software to the public as service.
Privacy
For a financial software is really important that we, the service providers cannot see the contents of your finances, it’s tempting to have super-admin users that can login into client accounts to help debug and in general provide help to the end-user. But with great powers come great responsibility and TBH we don’t want it.
So we build a hard partition, super-admin users exists but they can only manage teams and users.
The whole admin section was created only to manage access to the service: Create users and assign them to teams with the correct permissions so they can start creating books we will never see.
This privacy of course cannot only be at UI level, it needs to be baked into the API itself, and completely challenged by a robust set of integration testing. This was one of the most consuming parts of the refactor but we got 100% coverage and you can be sure the super-admin cannot see anything out of the box.
There might still be cases where an admin could add him/her self to your team, but in that case you will see them added. That will be further enforced by having proper logging of all activities in the future which is important from a compliance stand point (but its overkill during the closed beta stage).
Security
On the security stand point we took an API first approach, coupled with the testing mentioned before, while we love our UI and in principle what motivated us to start this project was to have a killer UI for our financial planning, the reality is that deep down this is just a CRUD API with user access control on top. And we made sure to secure the hell out of that API, 497 individual tests with 100% coverage are witness of it.
We still have items to check out of the OWASP Top Ten, but we are getting there in future deliveries.
Broken Access Control ✅:
Rigorously tested.Cryptographic Failures ⚠️:
Using JWTs in LocalStorage, will move it to http-only cookies in a future update along with OAuth or managed tokens for pure API.Injection ⚠️:
I’m pretty sure this is covered by using Express as our backend framework, but we still need to setup the Content Security Policy to avoid Cross-Site scripting.Insecure Design ⚠️:
By being API first I think the data is secure, but our users tokens are not secure right now by being stored in LocalStorage.Security Misconfiguration ⚠️:
The database is currently hosted in a Dreamhost Shared server. I’m sure the server is safe and expertly managed by their team, but there is currently no configuration to limit from where connections can be made to the database, this of course is to accommodate development, but will need to be hardened when going full SaaS.Vulnerable and Outdated Components ✅:
We are using all LTS versions of every dependency, but you can never be 100% sure.Identification and Authentication Failures ❌:
We plan to introduce MFA in a future release, but as it is right now an attacker could brute force our login endpoint, speaking of which we also don’t have API throttling or rate limiting. Is someone taking notes of all the pending stuff?Software and Data Integrity Failures ❌:
We don’t even have backups right now.Security Logging and Monitoring Failures ❌:
Yeah wee need that…Server-Side Request Forgery ✅:
Mostly controlled by our could providers (Dreamhost/Digital Ocean), and we don’t have server to server interactions yet.
We take the OWASP guide as our priority to secure the app, we could do much more of course, but just checking the 10 points in the guide is the work of a lifetime, so we will focus on checking the list starting from the top, and work our way down before going into an open beta.
We Interrupt this Broadcast
During the writing of this piece, and leading to the start of the closed beta, my dad died, which interrupted all development, all plans, and filled us with deep sadness. The death of your 79-year-old father is of course expected at some point, but that doesn’t soothe the pain or make you more ready for it.
It’s curious how a dash between two dates can summarize entire lives, empires, wars, and all the people who died and lived through them. The dash for my dad was filled with study, hard work, big adventures, and an even bigger family, his fair share of sins, parties, and good times.
Dad, you gave me education, love, a house and food to grow into a man, and even a home to take care of my own family. My family and I are in deep gratitude, and we all miss you so much.
~Levhita