Nija

Security Hardening Guide

Overview

This document outlines the security hardening measures implemented in NIJA to protect the trading bot, user data, and API credentials.

Automated Security Scanning

CodeQL Analysis

NIJA uses GitHub’s CodeQL to perform automated security scanning of the codebase.

Workflow: .github/workflows/codeql.yml

Features:

• ✅ Scans Python and JavaScript code
• ✅ Runs on every push to main/develop branches
• ✅ Runs on all pull requests
• ✅ Weekly scheduled scans (Mondays at 6am UTC)
• ✅ Detects security vulnerabilities, coding errors, and code smells

View Results:

• Navigate to: Security > Code scanning alerts in GitHub
• Review and address any high/critical severity findings

Dependency Vulnerability Scanning

Workflow: .github/workflows/security-scan.yml

Tools Used:

1. Safety - Python dependency vulnerability scanner
2. Bandit - Python security linting
3. TruffleHog - Secret scanning in git history

Scanning Schedule:

• On every push to main/develop
• On all pull requests
• Weekly scheduled scans (Sundays at 2am UTC)

Security Best Practices Checklist

✅ API Key Security

• Never commit API keys to version control
• Use environment variables for all secrets
• Store secrets in .env file (gitignored)
• Rotate API keys regularly (recommended: every 90 days)
• Use separate API keys for development and production
• Implement encryption for stored credentials (Fernet encryption)

Required Environment Variables:

COINBASE_API_KEY=your_key_here
COINBASE_API_SECRET=your_secret_here
COINBASE_PEM_CONTENT=your_pem_content_here

✅ Input Validation

• Validate all webhook inputs
• Sanitize user inputs before processing
• Use Pydantic models for API request validation
• Implement rate limiting on webhook endpoints

Example:

from pydantic import BaseModel, validator

class WebhookSignal(BaseModel):
    symbol: str
    action: str
    price: float

    @validator('action')
    def validate_action(cls, v):
        if v not in ['buy', 'sell']:
            raise ValueError('Invalid action')
        return v

✅ Network Security

• Use HTTPS for all external API calls
• Implement TLS/SSL for webhook servers
• Validate webhook signatures
• Use CORS restrictions for API endpoints
• Implement JWT authentication for API gateway

✅ Error Handling

• Never expose sensitive data in error messages
• Log errors securely without exposing credentials
• Implement proper exception handling for API calls
• Use structured logging (JSON format)

Example:

import logging

logger = logging.getLogger(__name__)

try:
    response = api_call()
except Exception as e:
    # DON'T: logger.error(f"API failed: {api_key}")
    # DO: logger.error(f"API call failed: {type(e).__name__}")

✅ Access Control

• Implement user authentication for all API endpoints
• Use role-based access control (RBAC)
• Separate admin and user permissions
• Implement session management with timeouts
• Log all authentication attempts

✅ Code Security

• Run Bandit security linting on all Python code
• Fix all high/critical security findings
• Use parameterized queries (avoid SQL injection)
• Validate file paths to prevent directory traversal
• Implement CSP headers for web interfaces

✅ Trading Security

• Implement position size limits
• Add maximum daily loss circuit breakers
• Validate all trade parameters before execution
• Implement emergency stop mechanism
• Log all trade executions with full audit trail
• Rate limit API calls to prevent account lockouts

Example:

from bot.risk_manager import RiskManager

risk_manager = RiskManager(
    max_position_size_pct=5.0,
    max_daily_loss_pct=5.0,
    max_drawdown_pct=12.0
)

# Validate trade before execution
if not risk_manager.validate_trade(size, price):
    logger.warning("Trade rejected by risk manager")
    return

Security Monitoring

Real-Time Alerts

Configure alerts for:

• Failed authentication attempts
• Unusual API activity
• Large withdrawals or transfers
• Circuit breaker triggers
• Error rate spikes

Security Logs

Monitor these log files:

• logs/security.log - Authentication and authorization events
• logs/api.log - API call history
• logs/trades.log - Trade execution audit trail
• logs/errors.log - Application errors

Log Retention:

• Keep logs for minimum 90 days
• Archive important logs for compliance
• Implement log rotation to prevent disk fill

Incident Response

Security Incident Steps

1. Immediate Actions:
   • Stop the trading bot: ./stop_bot.sh
   • Disable API keys in broker account
   • Assess the scope of the incident
2. Investigation:
   • Review security logs
   • Check recent trade history
   • Identify compromised credentials
   • Document timeline of events
3. Remediation:
   • Rotate all API keys and secrets
   • Update .env file with new credentials
   • Patch identified vulnerabilities
   • Review and update security policies
4. Recovery:
   • Test bot with new credentials
   • Restart trading in paper mode first
   • Monitor closely for 24-48 hours
   • Document lessons learned

Emergency Contacts

• Security Issues: Create issue in GitHub with security label
• Trading Issues: Check RECOVERY_GUIDE.md
• API Issues: Refer to broker support documentation

Security Updates

Dependency Updates

Monthly Security Updates:

# Check for outdated packages
pip list --outdated

# Update specific vulnerable packages
pip install --upgrade package-name

# Update requirements.txt
pip freeze > requirements.txt

Security Patch Process

1. Monitor GitHub Security Advisories
2. Review Dependabot alerts weekly
3. Test patches in development environment
4. Deploy to production with monitoring

Compliance Considerations

Data Protection

• Encryption at rest: User credentials encrypted with Fernet
• Encryption in transit: HTTPS for all API calls
• Data minimization: Only store necessary trading data
• Right to deletion: Provide mechanism to delete user data

Audit Trail

• All trades logged with timestamp and user ID
• API key usage tracked
• Authentication events recorded
• Position changes documented

Regulatory Compliance

• Comply with broker terms of service
• Follow financial regulation requirements
• Maintain records as required by law
• Implement KYC/AML as needed

Security Review Schedule

• Daily: Review security scan results
• Weekly: Check Dependabot alerts
• Monthly: Update dependencies
• Quarterly: Rotate API keys
• Annually: Full security audit

Additional Resources

• OWASP Top 10
• Python Security Best Practices
• GitHub Security Best Practices
• Coinbase API Security

Questions or Issues?

If you discover a security vulnerability:

1. DO NOT open a public issue
2. Email security contact privately
3. Provide detailed information
4. Allow time for patch before disclosure

For general security questions, refer to SECURITY.md.