Fran Metrics Application
Tech stack: API, MySQL, Amazon Web Services, PHP, Quickbooks, Microsoft Power BI, Google Maps API, Laravel
Introduction to the Company
Fran Metrics is a Financial Services company based in Boise, Idaho. The company provides its clients with a software platform that consolidates all the services required for the franchising companies and their franchisees. The platform includes features such as Evaluation Features to evaluate and track performance, Monthly and Weekly Reporting features (for Scorecards Reports, Trend Reports, Break-Even Analysis, and Descending KPI Reports), Consolidated Reporting, and many other features. Besides, the software platform includes the Bookkeeping, KPI, and Benchmarking solutions.
The source of all the financial data coming into the Fran Metrics web application is the QuickBooks Online solution, provided by Intuit, a global technology company. DevCube made the integration between Fran Metrics application and QuickBooks Online so that all the financial reports could be easily accessed by the users of the application.
After some time, the Founder of the Fran Metrics company came to us with the idea of placing the application in the QuickBooks App Store for the company’s growth and lead generation.
Fran Metrics reached out to us explaining in detail the challenge that they were facing. The challenge was to prepare the Fran Metrics application to be placed in the QuickBooks App Store. The point is that in order for an application to be placed on the QuickBooks App Store, it should be checked by Intuit itself and the third-party company (Synopsys Inc., a company one of the focuses of which is software security and quality) for compliance with the Intuit requirements, such as Technical Requirements, Marketing Requirements, Security Requirements, and Password Policy Requirements. Therefore, we have immediately started researching those requirements and checking if something should be changed on both application and server levels.
In the case of Technical and Marketing Requirements, there were some issues that we encountered but they were quite minimal and were easily remediated by our developers.
As regards the Security Requirements, we had to check the compliance of the Fran Metrics application in terms of spheres such as App server configuration, Attack vulnerability, QuickBooks data usage, Cookie management, OAuth token management, Sensitive Information, and User Credentials. Each part of these Security Requirements required careful review and analysis from DevOps engineers and developers.
Finally, we had to check the Fran Metrics application in terms of compliance with Intuit’s Password policy which included the requirements related to Credential Creation, Credential Reset, Credential Transmission, and Credential Storage. One of these requirements part, Credential Creation, was especially challenging because it required the developers to develop smart and complicated algorithms that would not allow users to create trivial or simple passwords that could be easily hacked. Besides, compliance with Intuit’s Password Policy required rigorous testing from the Quality Assurance engineers to make sure that all requirements were met.
All in all, we had to review all these requirements, implement the changes in both application and server, and make sure that all the changes were made appropriately and satisfied the Intuit Requirements.
After that, the Fran Metrics application was tested by a third party – Synopsys Inc. – a company one of the focuses of which is software security and quality. The Synopsys company conducted DAST (Dynamic Application Security Testing) testing which resulted in a report describing the found issues. The report included several low and minimal issues and a couple of medium/high issues which were quickly remediated.
At the end of all this work related to the Intuit Requirements the following deliverables were provided by DevCube to the FranMetrics company:
- Passwords were enforced to have a certain length required by Intuit.
- Passwords were enforced to have letters, numbers, and specific symbols.
- Password system was enforced to compare a user’s password with the 10 000 most common passwords to make sure that a user will not be able to create a popular, commonly used password.
- An algorithm comparing a user’s password with the trivial variations of the username/name/surname was implemented in the application to make sure that a user will not be able to create a password somehow similar to their name, surname, and username. This algorithm takes as input the user’s name, surname, and username and creates multiple password options (for example, Jacob, J4cob, 1Jacob, Jacob4, Jac0b, Jacob#, and many more) that would not be allowed for a user to use them as a password.
- The Password system was enforced to support mixed-case passwords.
- Passwords were enforced to expire after a certain number of days set by Intuit.
- The Password system was enforced to lock out the user account after a certain number of consecutive failed password login attempts.
- The Password system was enforced to store the previous # of passwords, and then to check if a user tries to create a password that is identical to previous passwords.
- The Password system was enforced to not allow a user to change their password more than 1 time per hour.
- Password Reset link was forced to be valid only for 1 hour and to be used only once.
Therefore, all these changes in the application and server configurations made the Fran Metrics more secure and ready for placing in the QuickBooks App Store.
The main business outcome of this work is the fact that the Fran Metrics application has met all Intuit Requirements and now is eligible for placing in the QuickBooks App Store which means that it has become available for more users which in turn will definitely contribute to the growth of the Fran Metrics company.
Apart from that, since the application became more secure for its end users, all the Data Security/Breach-related risks have been eliminated which would contribute to the brand image of the company.