At Modern Treasury, we are in the business of building trust. Security is a priority for our customers and key feature of our products. Beyond regular compliance and vendor security assessments, we make an ongoing effort to build in actionable and practical measures for our customers.
Here are the most recent examples of our continuing approach to delivering on hardened network security.
Private Communication Capabilities
All of our APIs already require Transport Layer Security (TLS), which provides authentication (clients verify the server’s identity), and encryption (exchanged messages are private and secure).
However, since these API calls rely on IP connectivity over public Internet infrastructure, we are susceptible to brute force and distributed denial-of-service (DDoS) attacks, along with other threats. Even in the absence of malicious actors, Internet weather can impact reliability and performance.
Today, Modern Treasury supports AWS PrivateLink. Enterprise customers can reach our API as if we were hosted directly on your private network. Modern Treasury’s API affords the following advantages:
- If you are hosted in AWS Region us-west-2, the connections to Modern Treasury happen within AWS’s data centers, reducing performance and reliability risk from DDoS attacks and Internet weather. Customers in other regions can use VPC Peering.
- With AWS PrivateLink, app.moderntreasury.com will resolve to IP addresses from your network’s CIDR block, which negates the need to setup and maintain egress filters for your network.
- You can control who has access to the Modern Treasury endpoint using a combination of security groups and endpoint policies.
Eventually, this provides an additional way for Modern Treasury to authenticate our clients, in addition to our current usage of API keys.
Modern Treasury also supports sending webhooks over AWS PrivateLink, which allows you to set up webhook receivers in private subnets that do not have Internet Gateways attached. Customers can operate in networks that are isolated from the public Internet, except for a pair of private connections with Modern Treasury.
Web Application Firewall
APIs that are publicly accessible are targeted by bots and scanners daily, and Modern Treasury is no exception. Security researchers and opportunistic attackers are constantly generating requests from databases of known exploits to uncover our vulnerabilities.
In December 2021 we found, in our logs, requests crafted for Log4Shell (CVE-2021-44228) several hours before its details were published. Our application is not vulnerable to these exploits, but the requests can set off an alerting noise for our engineers and cause performance degradation for customers.
Today, Modern Treasury has deployed a modern Web Application Firewall (WAF) to protect our API. It is configured to block identified malicious actors and requests that match a database of common exploit patterns. This setup includes the following advantages:
- In addition to AWS Shield, the WAF protects against Denial-of-Service (DoS) attacks by allowing us to quickly block specific IP addresses and regions.
- The WAF helps us run a more cost-effective stack by blocking garbage requests at the edge, reducing our need to scale-out.
- By using a managed firewall and managed rules, Modern Treasury gets fast access to the latest patterns to use against new CVEs.
As a best practice, we will review and calibrate these rulesets regularly to harden the firewall and protect our API.
From network security, to application security and database security, a Defense-in-Depth strategy requires attention to detail at multiple layers to provide effective protection. Each hardened layer increases the cost borne by attackers, rendering their endeavors unprofitable and deterring further attempts.
Security is part of the charter of the Foundations Engineering Group at Modern Treasury, which supports our engineers in deepening their expertise around our product and key technologies. Join us to help protect the global payments infrastructure.