Conventional Components

Web2 KAIO Components

Introduction

The KAIO Platform was developed using Web2 and Web3 principles, with equal importance placed on securing both aspects. The Web2 components were secured using the same security best practices employed to protect other Web2 applications. The platform was evaluated against the relevant security controls of the CIS Critical Security Controls® (CIS Controls®) v8 framework. This framework prioritizes a set of actions to create a defense-in-depth approach to mitigate the most frequent attacks against systems, networks, and applications.

Security Control Groups

The KAIO platform undergoes continuous assessment against the following security control groups within the CIS v8 framework:

  • Inventory and Control of Software Assets

  • Data Protection

  • Secure Configuration of Enterprise Assets and Software

  • Account Management

  • Access Control Management

  • Continuous Vulnerability Management

  • Audit Log Management

  • Network Infrastructure Management

  • Network Monitoring and Defense

  • Application Software Security

  • Penetration Testing

Confidentiality, integrity, and availability (CIA triad) of customer data on the KAIO Platform are ensured through various security measures provided natively by the Cloud Security Provider (CSP) AWS. These measures are utilized to secure the platform at the network, system, and application layers. In addition to the encryption provided by AWS for S3 buckets, all confidential and sensitive data is encrypted and stored in secure vaults while at rest. Key management for generated wallets on the KAIO platform is handled by the native Key Management System (KMS) solution of the CSP, or by a third-party key custodian. Traffic and transactions that trigger corresponding events on the smart contract infrastructure (e.g. signing the transaction with a valid signature) are handled by the KAIO platform in an encrypted and secure manner. User wallet keys are kept strictly confidential and private, ensuring secure access via the native KMS of the CSP.

Availability and Access Control of the KAIO Platform

The KAIO Platform operates on a highly secure and reliable infrastructure to ensure the availability of its Web2 components. The platform uses multiple Virtual Private Cloud (VPC) instances, which are externally load-balanced on the AWS Cloud Security Provider (CSP). The applications run as containers, and their availability is provided by a natively running container orchestration implementation (AWS ECR and EKS). This ensures that the applications can handle high traffic volumes without experiencing downtime.

To ensure that the Web2 and Web3 platforms are separated and secure, they are segmented by IP and protected by the native firewall of the CSP. In addition, access to the KAIO platform is only granted through the Web2 front-end, and is limited to a set of whitelisted IP addresses. The Web3 platform is not externally exposed, providing an additional layer of security to the platform.

The network infrastructure of the KAIO platform has multiple layers of access control, with admin access being possible only via different Multi-Factor Authentication (MFA) mechanisms, ensuring that the platform is well-protected against password-only access or attacks. To further enhance the level of security, AWS EKS Kubernetes Network Policies enforce segmentation and boundary control of container services, ensuring that the security of the platform is not compromised.

Secure Software Development Lifecyle

Secure Software Development Lifecycle (sSDLC) is an essential aspect of the security efforts for the KAIO Platform. The CI/CD pipeline includes code quality and Static Application Security Testing (SAST) stages during the CI phase. The purpose of these stages is to ensure code quality and identify any vulnerabilities before deployment to production. This process guarantees that high-quality, secure code is deployed to the platform. Additionally, the code review process is rigorous and only completed after a thorough examination of the code. The review process is critical to ensure that the code deployed on the platform meets the necessary security standards. The code is scrutinized in detail to check for errors, vulnerabilities, or other issues that could compromise the platform's security.

Other aspects of the sSDLC efforts for the KAIO platform are input validation and secure error handling. Preventing security vulnerabilities such as SQL injection attacks, cross-site scripting attacks (XSS), and buffer overflow attacks before they even reach the KAIO platforms servers is an important step in securing the platform. Preventing sensitive information from being disclosed to attackers by doing the necessary secure error handling is an important factor to prevent the platform from revealing any sensitive information.

Testing

To enhance the security of the platform, the KAIO platform undergoes periodic penetration testing. These tests are essential to ensure that no new vulnerabilities are introduced during the development phase of the application. This ensures that the platform remains secure throughout the development phase and the CI/CD pipeline.

Cybaverse carried out penetration testing for the API. Their findings have been addressed and resolved. The latest certification is available below.

295KB
Libre - Penetration Test Certification.pdf
PDF
Open
API penetration testing certification

Takeaways

In summary, the KAIO Platform places high importance on ensuring the security of customer data through various security measures, including encryption and secure storage of confidential and sensitive data in vaults, strict confidentiality and privacy of user wallet keys, and secure handling of traffic and transactions. The network infrastructure of the platform is highly secured, with admin access limited to authorized personnel and the use of MFA mechanisms. Additionally, a secure Software Development Lifecycle (sSDLC) and periodic penetration testing are implemented to ensure the platform remains secure.

Last updated