How We Improved Information Security at Grofers by Avinash Jain

We, at Grofers always keep security first. We believe that information security is as important as any other part of an enterprise and should be considered the utmost priority. So to strengthen the same, we began by having a structured plan to make our infrastructure and applications more secure.

The challenge every startup or even a scaled company faces is to cultivate an InfoSec culture. To facilitate this, we began with a Security Awareness Program. This was a great way to educate personnel and to keep the company’s IT security policy fresh in their minds.It also makes them understand the risks and threats to the ever-evolving cyber world and thus help them to adequately protect the organization against security risks.

To drive the changes we wanted, we started the following initiatives:

Security Awareness Program

We conduct regular security workshops demonstrating the recent hacks, their impacts, mitigation ways and best security practices that need to be followed. Live demos and fixes are shown to keep the team more engaged.

Feedback forms are sent to find out where to improve, what’s missing and steps that could be taken to improve engagement.

To keep the employees aware of what’s currently happening in the InfoSec world, weekly security awareness mailers, newsletters, security updates and infographic emails are sent.

Integration of Security Testing in SDLC

We needed a continuous application scanning tool for which we evaluated several solutions like OWASP ZAP, BurpSuite, Arachni and a few more. We settled on BurpSuite Enterprise Tool for the same. In order to integrate it with SDLC, we set it up as a proxy server which Developers/QA engineers have to use while doing their usual sanity or QA tests. They need to just plug in the proxy scanner IP on their local machines and that’s it! Mobile applications have the proxy integrated into the build itself.

And in this way, the proxy scanner server will perform automated security scanning and report the vulnerabilities in the testing phase. While this goes for automated scanning, we give the same focus to manual security testing which is carried out weekly when our releases are going through regression testing.

Having a security testing during the QA phase will not only reduce the vulnerable sphere at the initial phase itself but also reduce the time/efforts spent later. We are expecting to find 70% vulnerabilities using this approach for any particular release.

Continuous Application Security

Application security testing should be a regular process instead of being a one time task. To make this a continuous process, we have scheduled regular application scanning of our domains and subdomains based on the application nature. For example, a B2C application is scanned monthly while an internal application goes through automated scanning quarterly.

Apart from the usual application vulnerabilities, we have in-house developed scripts which run weekly to check for common loopholes/mistakes (manual errors) like S3 bucket containing sensitive data made public, Git repo left with public access, unused CNAME to prevent subdomain takeover, sensitive ports left open on machines.

Automation in Web Application Firewall (WAF)

To protect our application from web application attacks, DDoS and bots, we brought in WAF in our environment. After some testing on our staging environment, monitoring it for anomalies and false positives, whitelisting, and setting up required rules etc, we rolled it out to production. The important thing for us to take care of was to minimize the false positives so that the firewall don’t block an actual user based on it’s blocking rules. We tried doing this by having a manual review for each IP blocked by WAF, which were extracted from the HTTP logs and checking the IP reputation.

This worked but to keep doing it manually would be very time consuming. To address this, we developed scripts which do the following in an automated manner:

  1. IP reputation review (gathering data from DNSBL Information)
  2. Whether any user account exist from the IP in grofers app

and some more factors.

IP Scoring Check 

Based on these, we generate a score which can be used for differentiating between an attacker incident and normal user and whether or not we should block the IP/user. Implementing WAF proved to be of great impact to us as we saw a significant decrease in web application attacks, scraping and bots.

What next?

As we scale up our platform, bringing more and more technologies into system, the chances of having a security loophole become more and more real and hence the challenges to keep our infrastructure secure. Since security is a continuous process, we continue working towards strengthening the security of our infrastructure and apps through tools and processes. Keep following us at https://lambda.grofers.com to know more about them. Stay tuned!


About the Author:

I am working as an Information Security Engineer in an e-commerce, having total of 3 years experience in the infosec field. I’m also a part time bugbounty hunter – acknowledged by various MNCs and some top companies of India. I am also an active blogger on Medium where I write about interesting vulnerabilities that I find on my bugbounty journeys. Some of the articles have been published in various Security magazines and newsletters like Hackerone etc.
Managing application security, performing penetration testing, hardening network and infrastructure, and automating security tasks to reduce manual effort are some of the things I take care of on a daily basis.
Author Links:

https://medium.com/@logicbomb_1

https://twitter.com/@logicbomb_1

https://lambda.grofers.com


Grofers is an Indian online grocery delivery service. It was founded in December 2013 and is based out of Gurugram

August 24, 2018

Leave a Reply

avatar

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  Subscribe  
Notify of

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013