Travel Tripper (now Pegasus) is an all-in-one provider of websites, booking technology, and digital marketing for hotels. Their e-commerce solutions help hotels worldwide to generate demand, optimise conversions, and maximise revenue. They’ve been providing cutting-edge digital and cloud-based technologies for the hospitality industry for the past 15 years.
Our association with Travel Tripper started in 2016, when we were conducting a yearly assessment of their CDE and apps for the PCI Certification audit.
However, their engineering team was developing and releasing new features every quarter, which the annual assessment wasn’t accounting for. Audits once a year just wouldn’t be enough.
Around 2018, there were new developments with the PCI standard, too. Now it was mandatory to assess an application every time they introduced a new feature, or changed the app’s code significantly.
In order to maintain certification a single annual audit was out of the question, given the pace of development at Travel Tripper. But that created another issue: conducting multiple assessments purely for PCI certification would rack up a significant cost.
It was mandatory to assess an application every time they introduced a new feature, or changed the app's code significantly.
Here’s what we proposed to the product engineering team: we wouldn’t just conduct simple assessments, but instead implement our full-fledged AppSec and security automation arsenal on their apps. This might initially seem counterintuitive, given Travel Tripper’s budgetary constraints. But we had a strategy already planned out.
Once we understood their quarterly release cycle, we kicked off the process with the automation buildup. Vulnerabilities that we identified manually in the assessments were scripted as exploit automation scripts and run against the target apps.
We also automated a bunch of tools and scripts to run scans against the app hosted environment and the CDE. We ran these scans on a periodic basis to maintain the security hygiene of the CDE and reported any flags to the engineering team immediately.
Next, we established a regression suite and focused our next assessment only on the new features. We scripted the vulnerabilities we found and added them to the regression suite.
This intense focus on optimisation gave us incredible results. After just a few releases, we were taking less than half the usual time to assess their apps.
After just two regression cycles, an assessment that normally took 23 days was taking just 15, and after a few more iterations, that number was down to 10.