Articles on: Whitepaperchevron-right

Security Architecture

use.com implements defense-in-depth security across seven layers, from perimeter defense to incident response. This section outlines the security controls that protect user assets and data against both external attacks and internal threats.


Layer 1: Perimeter Defense

DDoS Mitigation


Multi-Tier Protection:


  • Tier 1 (Edge): 100+ Tbps capacity via Cloudflare/Akamai
  • Tier 2 (Origin): 10 Tbps scrubbing centers
  • Tier 3 (Application): Adaptive rate limiting and circuit breakers


Attack Mitigation:


  • Volumetric attacks (UDP/ICMP floods): Edge filtering
  • Protocol attacks (SYN floods): SYN cookies + connection limits
  • Application attacks (HTTP floods): Challenge pages + rate limiting


Historical Performance: Largest attack mitigated: 450 Gbps in 8 seconds, zero downtime.


Web Application Firewall (WAF)


Protection Against:


  • SQL injection
  • Cross-site scripting (XSS)
  • Cross-site request forgery (CSRF)
  • XML external entities (XXE)
  • Known attack patterns


Performance: < 2ms latency added, < 0.1% false positive rate, > 99% true positive rate.


Layer 2: Application Security

Secure Development Lifecycle


Six-Phase Process:


  1. Requirements: Security requirements defined upfront
  2. Design: Architecture review, threat modeling
  3. Implementation: Secure coding standards, code reviews
  4. Testing: Static analysis (SAST), dynamic analysis (DAST)
  5. Deployment: Container scanning, configuration review
  6. Operations: Vulnerability management, incident response


Tools: SonarQube, Checkmarx (SAST), OWASP ZAP (DAST), Snyk (dependencies), Trivy (containers).


Input Validation


Four-Layer Validation:


  1. Client-Side: User experience, immediate feedback
  2. API Gateway: Schema validation, rate limiting
  3. Application: Business logic validation, sanitization
  4. Database: Constraints, triggers


Sanitization: All user inputs sanitized to prevent injection attacks. Parameterized queries used exclusively (no string concatenation).


Layer 3: Authentication & Authorization

Multi-Factor Authentication (MFA)


Required For:


  • Login (always)
  • Withdrawals (always)
  • API key creation (always)
  • Security settings changes (always)


Supported Factors:


  • Primary: Password (bcrypt hashed, cost: 12)
  • Secondary: TOTP (30-second codes), SMS OTP (fallback), Email OTP (recovery), Hardware keys (FIDO2/WebAuthn)
  • Tertiary: Biometric (Face ID, Touch ID on mobile)


Trusted Devices: 30-day trust period, limit 5 devices per user, revocable anytime.


Session Management


Token Architecture:


  • Access Token: 15-minute lifetime, memory-only storage
  • Refresh Token: 30-day lifetime, HttpOnly secure cookie, rotated on each use


Security Controls:


  • Device binding (fingerprint validation)
  • IP validation (alert on change)
  • Concurrent session limits (5 per user)
  • Automatic timeout (30 min idle, 24 hours absolute)


Layer 4: Data Security

Encryption at Rest


Database Encryption: AES-256-GCM with AWS KMS/Azure Key Vault


Column-Level Encryption for sensitive fields:


  • Passwords: bcrypt (cost: 12)
  • API Keys: AES-256-GCM
  • 2FA Secrets: AES-256-GCM
  • PII: AES-256-GCM
  • Private Keys: AES-256-GCM + HSM


Key Rotation: Quarterly for data encryption keys, annually for master keys.


Encryption in Transit


TLS Configuration:


  • Minimum: TLS 1.2
  • Preferred: TLS 1.3
  • Cipher Suites: AES-256-GCM, ChaCha20-Poly1305
  • Certificate: EV (Extended Validation), RSA 4096-bit or ECDSA P-384


Security Headers:


  • Strict-Transport-Security (HSTS)
  • Content-Security-Policy (CSP)
  • X-Frame-Options: DENY
  • X-Content-Type-Options: nosniff


Layer 5: Infrastructure Security

OS Hardening


CIS Benchmarks: Level 1 compliance (95%+ score)


Hardening Measures:


  • Minimal installation (only required packages)
  • Root login disabled
  • SSH keys required (passwords disabled)
  • Filesystem encryption (LUKS)
  • Firewall with default deny


Patch Management:


  • Critical patches: Within 24 hours
  • Security patches: Within 7 days
  • Regular updates: Monthly maintenance window


Container Security


Image Security:


  • Official base images only
  • Daily vulnerability scanning (Trivy, Clair)
  • Block on HIGH/CRITICAL vulnerabilities
  • Docker Content Trust enabled


Runtime Security:


  • Non-root user execution
  • Resource limits (CPU, memory)
  • Network policies (default deny)
  • Secrets via Kubernetes Secrets + Vault


Layer 6: Monitoring & Detection

Security Information and Event Management (SIEM)


Log Sources:


  • Application logs (all services)
  • System logs (OS, kernel)
  • Network logs (firewalls, load balancers)
  • Security logs (WAF, IDS/IPS)
  • Authentication logs (login attempts, MFA)


Alert Rules:


  • Failed login attempts (> 5 in 5 minutes)
  • Impossible travel (login from distant locations < 1 hour)
  • Large data transfers (> 1 GB outbound)
  • Privilege escalation (sudo usage by non-admin)


Response Time: < 15 minutes for critical alerts.


Anomaly Detection


User Behavior Analytics:


  • Baseline establishment (30 days normal activity)
  • Anomaly scoring (0.0-1.0 scale)
  • Alert threshold: 0.7
  • Automated response for high-risk anomalies


Monitored Patterns:


  • Login times and frequency
  • Geographic locations
  • Trading patterns
  • Withdrawal patterns
  • API usage patterns


Layer 7: Incident Response

Incident Severity Levels


P0 (Critical): Active breach, data exfiltration, service outage


  • Response Time: < 5 minutes
  • Team: Full IR team + executives
  • Communication: Hourly updates


P1 (High): Potential breach, significant vulnerability


  • Response Time: < 15 minutes
  • Team: IR team + stakeholders
  • Communication: Every 2 hours


P2 (Medium): Security policy violation, minor vulnerability


  • Response Time: < 1 hour
  • Team: Security team
  • Communication: Daily updates


P3 (Low): Informational, no immediate threat


  • Response Time: < 4 hours
  • Team: Security analyst
  • Communication: Weekly summary


Incident Response Process


Six Phases:


  1. Detection: SIEM alerts, user reports, monitoring (< 5 min for P0)
  2. Containment: Isolate systems, block IPs, revoke credentials (< 30 min for P0)
  3. Investigation: Forensics, scope determination, root cause analysis
  4. Eradication: Remove malware, patch vulnerabilities, harden systems
  5. Recovery: Restore from clean backups, verify functionality, monitor
  6. Post-Incident: Lessons learned, documentation, improvements


Metrics Tracked:


  • Detection time
  • Response time
  • Containment time
  • Recovery time


Security Audits


Internal Audits: Quarterly security reviews


External Audits:


  • Penetration testing: Twice yearly
  • Code audits: Before major releases
  • Infrastructure audits: Annually
  • Compliance audits: As required by regulators


Bug Bounty Program: Responsible disclosure program with rewards for security researchers.


Conclusion


use.com's seven-layer security architecture provides comprehensive protection through defense-in-depth, continuous monitoring, and rapid incident response. By combining multiple security controls and maintaining transparency about security practices, use.com protects user assets while building trust through verifiable security measures.



Previous: ← Deposit & Withdrawal Architecture Next: Compliance, KYC & AML Framework →


Related Sections:


Updated on: 10/03/2026

Was this article helpful?

Share your feedback

Cancel

Thank you!