Our client is a leading ticket aggregator and event hosting platform. Their services handle bookings and tickets for movies, live shows, sports tournaments, and corporate-oriented talks. Their applications are equipped to handle high volumes of traffic, with over 15 million monthly active users and 95 million tickets sold annually.
Our client’s web application is a platform for end consumers to select and book seats for events, and for corporate partners (organisers and cinema owners) to list shows, do mobile ticketing, and digital marketing for those events.
The app is highly scalable, built on microservices architecture that heavily leverages cloud native technologies such as Docker & Kubernetes.
Although the company’s development practices were cutting edge, their AppSec process was lagging far behind. Assessments were conducted only a few times in a year to maintain their PCI compliance certification.
Given how modern their tech stack was, their AppSec practices left much to be desired. Things needed to change around here, and fast.
Although the company's development practices were cutting edge, their AppSec process was lagging far behind.
Our client was looking for a solution that would give them a practical approach to AppSec automation. Their vendors were only able to offer multiple assessment iterations to tackle the problem, but this didn’t take into account how fast they were developing the app. Not to mention, this wasn’t exactly cost-effective.
Their team had also automated their security tools in a pipeline, but that simply wasn’t working the way they wanted. Over time, the tool pipe produced more noise (false positives) than actionable results.
It was around this time that we45 got into discussions with them. When we started talking to the company, we saw that although their automation effort wasn’t misguided, it was still lacking the depth of a penetration test. We proposed a two-step approach to address this.
The first step: Leverage the proven effectiveness of regression testing.
We conducted a comprehensive assessment of the client’s microservices, codifying the results as exploit-as-code scripts, which we added to their security automaton pipeline.
The results spoke for themselves. The tool scans were running efficiently and taking way less time to complete.
The second step: Expand the coverage of custom attack scenarios which would not be identified by tools. We started working on creating a library of custom attack payloads tailored to each microservice in our client's app. Using we45's open source ThreatPlaybook framework, we helped their security team orchestrate the firing of custom payloads against the target services.