Our client is a leading ticket aggregator and event hosting platform. Their services handle bookings and tickets for movies, live shows, sports tournaments, and corporate-oriented talks. Their applications are equipped to handle high volumes of traffic, with over 15 million monthly active users and 95 million tickets sold annually.
Our client’s web application is a platform for end consumers to select and book seats for events, and for corporate partners (organisers and cinema owners) to list shows, do mobile ticketing, and digital marketing for those events.
The app is highly scalable, built on microservices architecture that heavily leverages cloud native technologies such as Docker & Kubernetes.
Although the company’s development practices were cutting edge, their AppSec process was lagging far behind. Assessments were conducted only a few times in a year to maintain their PCI compliance certification.
Given how modern their tech stack was, their AppSec practices left much to be desired. Things needed to change around here, and fast.
Although the company's development practices were cutting edge, their AppSec process was lagging far behind.
Our client was looking for a solution that would give them a practical approach to AppSec automation. Their vendors were only able to offer multiple assessment iterations to tackle the problem, but this didn’t take into account how fast they were developing the app. Not to mention, this wasn’t exactly cost-effective.
Their team had also automated their security tools in a pipeline, but that simply wasn’t working the way they wanted. Over time, the tool pipe produced more noise (false positives) than actionable results.
It was around this time that we45 got into discussions with them. When we started talking to the company, we saw that although their automation effort wasn’t misguided, it was still lacking the depth of a penetration test. We proposed a two-step approach to address this.
The first step: Leverage the proven effectiveness of regression testing.
We conducted a comprehensive assessment of the client’s microservices, codifying the results as exploit-as-code scripts, which we added to their security automaton pipeline.
The results spoke for themselves. The tool scans were running efficiently and taking way less time to complete.
The second step: Expand the coverage of custom attack scenarios which would not be identified by tools. We started working on creating a library of custom attack payloads tailored to each microservice in our client's app. Using we45's open source ThreatPlaybook framework, we helped their security team orchestrate the firing of custom payloads against the target services.
With we45’s solution, our client was able to build a scalable security automation framework without any loss to the coverage or depth to their assessments.
This in turn helped them meet their yearly PCI compliance mandates with zero issues. No more of the annual uphill battle of getting assessments done across the board before the certification audits.
With continuous security testing being done with the automation framework, it was simply a matter of generating reports and presenting it to the QSA for the certification audit.