Security
Last updated
Last updated
Security is at the heart of BANGK's architecture. The use of several software layers, each with its own paradigms, enables it to provide services that are best suited to their objectives:
Financial transactions are in the deepest layer, protected by multiple software layers, each with its own authentication methods, coded with a strict language and tested to +95%,
Non-sensitive operations are in an accessible software layer, written in a modular and resilient language that meets high accessibility and performance requirements.
Here is a list of all the security checks for a signal in the various software layers of the BANGK project:
The automated tests will concern the most sensitive parts of the application (backend, smart contracts, etc.).
The target coverage rate is 95-99% for sensitive modules (finance, transactions, blockchain, etc.) and 75+% for non-sensitive modules (design system, etc.).
Here are the different types of tests put in place, in order of importance:
API non-regression tests: Their role is to ensure that the various backend functionalities, via API, continue to work as expected despite updates. They test a maximum number of forms of aggression, edge cases and combinations of user permissions to ensure that incoming and outgoing data remains validated in accordance with what is expected for each level of permissions.
Unit tests: These test functionality directly in the code. They are particularly relevant for algorithmic code or security functions that are at the heart of the application.
Manual testing: A QA (Quality Assurance) team will be put in place to guarantee optimum quality of user experience with each update of the application.
Alpha/Beta testing: After the quality assurance stage, each update will be tested by an initial group of internal users (Alpha), then offered to a panel of beta testers before being rolled out to the general public.
Other types of tests:
Load tests and simulations of denial of service attacks (DDOS).
Automated accessibility tests (contrast, button size, etc.), performance scores (e.g. lighthouse) and SEO tests.
Automated server crash tests during sensitive transactions and operations and automatic data recovery tests.
BANGK considers code quality to be one of the essential components of application security. In a clean, well thought-out application, security is applied simply, legibly and effectively. It is also easier to understand and adopt good practice throughout the life of the application.
Here are some of the practices put in place to guarantee code quality:
Regular code quality and cyber security audits by recognised third parties.
Simple, easy-to-read security practices, exhaustive checklists and double checks.
Systematic peer reviews for everyone.
Whether for performance or security, a monitoring system with real-time alerts is in place, and a person is on call 24 hours a day to guarantee continuity of service.
Here are some best practices for obtaining licences and ensuring the best possible security throughout the technology chain:
Multi-factor authentication.
Reconnection by PIN code, fingerprint or facial recognition.
AI analysis of user behaviour to determine certain patterns of unusual behaviour.
Rate limiting: limiting the number of requests from a user to prevent certain types of attack.
Infrastructure :
Database redundancy on at least 5 points and back-up every 30 minutes.
Server redundancy across several data centres and geographical zones.
Implementation of a container orchestrator to guarantee server resilience during peaks in usage (Kubernetes).
Https.
Implementation of increasingly deep software layers, each with an additional level of security.
Setting up a separate backend for sensitive actions (transactions, blockchain interactions, etc.).
More generally, every effort will be made to meet or exceed the security requirements of MiCA regulations.
In addition to the usual security features, here are some other features that BANGK will be introducing.
Governance tools
In a traditional framework, the risk of an individual taking crucial decisions without consultation represents a major danger for any project. This is why BANGK advocates a collaborative governance model, where important decisions require the approval of several stakeholders before being implemented. The idea could be to introduce a voting mechanism, where a required number of voters - whether administrators or community members - would be needed to approve any sensitive action. In this way, no critical action could be taken without the approval of the team or the community itself.
Killswitch
To compensate for the lack of responsiveness of a participative system in an emergency situation, a killswitch (stop button) will be put in place. It can be used in extreme cases to interrupt financial services and thus curb a potential attack.