Hey Ega! What’s your role, and what makes Faspay stand out in FinTech?
Hi team Aikido! As Development Head Manager at Faspay, I lead our engineering teams to build scalable, reliable systems that support the company’s growth and evolving business needs.
What sets Faspay apart is our strong presence across both digital and traditional sectors. We make it easier for merchants (especially those transitioning from legacy payment methods) to adopt digital payment systems through solutions that are stable, secure, and easy to integrate. Faspay is one of the oldest and most established payment gateways in Indonesia. Our solutions are secure, stable, and effortlessly integrable, built on years of proven experience and market trust.
What purpose should security in FinTech serve?
While FinTech-specific security should support innovation and digital financial inclusion, I’d argue this is also a must:
- Safeguard user data: FinTech platforms manage sensitive personal and financial information. Strong security ensures this data is not leaked, stolen, or misused.
- Protect transactions: Every transaction must be safe from fraud, manipulation, or unauthorized access to maintain the integrity of the system.
- Build trust: Users will only use digital financial services if they feel confident their money and information are secure. Trust leads to adoption and growth.
- Ensure compliance: Indonesia’s FinTech sector is regulated by authorities like OJK and Bank Indonesia. Good security helps companies comply with data protection and cybersecurity laws, avoiding penalties.
- Prevent losses: Cyberattacks can lead to stolen funds and damaged reputation. Security acts as a defense line to reduce such risks.
- Maintain service availability: Downtime or system failure due to attacks can stop business operations. Security ensures the platform remains reliable and always accessible.
How does Aikido help with increasing regulatory and data protection demands?
Aikido plays a critical role in helping us secure customer data. It identifies risks early in the development lifecycle, when they’re easier (and cheaper) to fix. Aikido scans thousands of open-source libraries, instantly alerting us when a dependency contains a known vulnerability that could put user data at risk. It also continuously monitors deployed code and flags changes when previously safe components become newly vulnerable due to evolving threat intelligence.
Was there a particular moment that triggered a more strategic focus on security?
In the last 3-4 years, Indonesia's financial industry became a target for hackers and exploits in various ways. Since then, we’ve taken a much more strategic and proactive approach on security, investing in better processes, raising internal awareness, and adopting tools like Aikido to help us identify vulnerabilities early and prevent incidents from happening.
Before adopting Aikido, what were your top security concerns? Were there specific risks or gaps you were looking to address?
Given the increased risk in the market, our immediate priority was to address the security gaps at the infrastructure level. Our main concerns included unpatched systems, known vulnerabilities, and overall environment hardening. We focused on regularly applying software patches, remediating known issues, and conducting routine penetration testing and vulnerability assessments to ensure our infrastructure was secure and resilient against future attacks.
What challenges were you experiencing in maintaining security and compliance as your platform scaled?
As we scaled, two key challenges emerged:
- Unpredictable threats: We couldn’t always anticipate new types of attacks or how sophisticated they’d be.
- Evolving compliance requirements: Regulatory expectations shift quickly, and our systems needed to keep pace without introducing dev bottlenecks.
The biggest balancing act was maintaining strong security without slowing down our development velocity.
“Security has become part of our development culture, not an afterthought.”
Were you using any other security tools or services prior to implementing Aikido?
We had tried several tools before Aikido, including Checkmarx and Snyk. Each had drawbacks. Some were slow, others lacked actionable insights, and some came with a steep price tag that didn’t reflect their value. That led us to search for something more developer-friendly and efficient, which ultimately brought us to Aikido.
“We tried Checkmarx and Snyk, but Aikido was faster, more actionable, and easier to work with.”
What stood out about Aikido during evaluation?
What stood out about Aikido during our evaluation was its strong focus on developer experience. The AutoFix feature was a huge win, allowing our team to quickly resolve issues without manual effort. Aikido also provides clear, actionable reporting, making it easier to prioritize and address vulnerabilities. Additionally, its seamless integration with tools we already use (like Jenkins, Slack, and various code editors) made adoption straightforward. On top of that, the scanning speed was noticeably fast, which helped maintain our development speed without compromising on security.
“Some issues are fixed automatically, no human intervention needed. We just review and merge the code.”
What has your experience been like working with the Aikido team?
Working with the Aikido team has been an outstanding experience. They’re not just responsive, they’re proactive, supportive, and truly invested in our success. Every interaction reflects their deep expertise in security and a genuine commitment to helping us grow with confidence. It’s rare to find a partner that feels this reliable and aligned with our values.
How easy or difficult was it to integrate Aikido into your existing workflows and development processes?
Very easy. The documentation is clear, and the setup process was smooth, even for developers new to the tool. Aikido plugged right into our pipelines without disrupting our processes. That was important. We needed better security, but not at the cost of productivity.
What’s your favorite feature or capability?
There's three in my opinion. Definitely the API scanning feature. It’s invaluable since most of our services are API-based. It helps us ensure that any new APIs we release are secure from the start. Second, the AutoFix capability is the real time-saver. It has saved us a significant amount of time by automatically resolving many common vulnerabilities, allowing our team to focus more on shipping code without worries. In the fastest cases, fixes are done instantly, we just review the change and merge it.
“With the IDE plugin, we can catch bad code before it even gets pushed to GitHub.”
And the IDE plugin helps us catch bad code before it even gets pushed to GitHub. We no longer have to manually check each line, and that’s made a big impact on developer efficiency.
How has Aikido changed the way Faspay approaches security and vulnerability management?
Aikido has significantly improved our approach to security and vulnerability management at Faspay. We’re more conscious of securing our codebase, especially when it comes to identifying and eliminating hardcoded sensitive data. It’s also made us more proactive in maintaining our dependencies and ensuring they’re up-to-date and safe. Because of Aikido, security has become part of our dev culture, not an afterthought.
Have you seen any measurable outcomes?
Aikido helped us uncover many vulnerabilities in our legacy codebase that had gone undetected. That alone was worth the switch. We don’t have exact metrics yet, but we’ve definitely saved time.
Have you seen improvements in velocity or cost savings?
Not yet in terms of dev velocity, we’re still focused on cleaning up legacy code. And while we haven’t quantified cost savings, we can already tell Aikido is reducing the overhead of managing security manually.
If you had to describe Aikido’s impact in a single sentence, what would it be?
Aikido has seamlessly integrated security into our development process, helping us detect vulnerabilities early while empowering our team to code more securely and efficiently.
.webp){kind=logo}
.png)