User Guides
Home
Start typing to search…

Security Best Practices

Security Best Practices

Here at Socure, we understand the importance of building secure and trustworthy identity applications. When leveraging third-party identity verification services like Socure, it’s crucial that developers implement best practices to protect user data and prevent fraud. In true Socure fashion, we’ve put together some tips for integrating safely and responsibly.

Use strong encryption and certificate validation

  • TLS and HTTPS connections: Require HTTPS and use the latest TLS version (TLS 1.3) for all API calls to the RiskOS™ endpoint. Note that TLS 1.3 is the default and preferred protocol version for encryption; however, we do allow TLS 1.2 as a minimum version when making API calls.
  • Data Encryption: Encrypt data in transit and at rest using properly managed encryption keys. Use industry-standard key management practices to generate, store, and rotate encryption keys securely - don’t expose user PII unnecessarily.
  • TLS validation: Ensure API calls to Socure endpoints require TLS validation (enabled by default in most environments).

Apply defense in depth strategies

  • API key authentication: Isolate credentials and use your unique API keys for authentication in your integration. The protection of API keys is critical to the security of our systems. It is the responsibility of customers to ensure that these keys do not fall into the wrong hands.
  • Consider domain/IP allow-listing: If you have a concrete understanding of where calls to Socure’s API endpoints will be originating from, you can add your domain and IPs to an API key allow-list. In the event your API keys are compromised, any requests not originating from your environment will be blocked.
  • User authentication and access control: Compartmentalize access using least privilege and zero trust models. By using strong user authentication methods, such as multi-factor authentication methods (MFA) with your preferred SAML IdP, you can verify the identity of users accessing RiskOS™ and protect sensitive information. Additionally, implement role-based access controls (RBAC) to limit users' access to only the resources and data they need to perform specific tasks.
  • Multilayer controls: Implement a variety of security measures like access tokens, request signing, and rate limiting to prevent potential attacks from penetrating deeper into your systems.
  • Information leakage: Don't leak sensitive error information - avoid disclosing specifics about why a verification failed or which part of the verification process caused the error.

Monitor integrations and have fallbacks

  • Fallback options: Have a well-defined fallback option to maintain security and provide a smooth user experience.
  • Continuous monitoring: Implement continuous monitoring of user activities, watch for anomalies.
  • Enforce SAML authentication: Use your preferred SAML IdP for user authentication into the RiskOS™.
  • Vulnerability and dependency management: Actively scan dependencies and third-party code libraries for vulnerabilities.

Assess and iterate security controls

  • Risk assessment and analysis: Conduct in-depth security reviews before integration to identify potential risks to your systems, applications, and data.
  • Adapt to changes: Perform recurring risk assessments and audits and continuously monitor your security posture and patch vulnerabilities.

By following these comprehensive security best practices, you can build robust integrations that prioritize defense-in-depth, fail safely, protect user privacy, and provide reliable service. For help building secure identity verification workflows, reach out to

Socure Support.

Updated 5 months ago