How We Improved Information Security at Grofers by Avinash Jain

We, at Grofers always keep security first. We believe that information security is as important as any other part of an enterprise and should be considered the utmost priority. So to strengthen the same, we began by having a structured plan to make our infrastructure and applications more secure.

The challenge every startup or even a scaled company faces is to cultivate an InfoSec culture. To facilitate this, we began with a Security Awareness Program. This was a great way to educate personnel and to keep the company’s IT security policy fresh in their minds.It also makes them understand the risks and threats to the ever-evolving cyber world and thus help them to adequately protect the organization against security risks.

To drive the changes we wanted, we started the following initiatives:

Security Awareness Program

We conduct regular security workshops demonstrating the recent hacks, their impacts, mitigation ways and best security practices that need to be followed. Live demos and fixes are shown to keep the team more engaged.

Feedback forms are sent to find out where to improve, what’s missing and steps that could be taken to improve engagement.

To keep the employees aware of what’s currently happening in the InfoSec world, weekly security awareness mailers, newsletters, security updates and infographic emails are sent.

Integration of Security Testing in SDLC

We needed a continuous application scanning tool for which we evaluated several solutions like OWASP ZAP, BurpSuite, Arachni and a few more. We settled on BurpSuite Enterprise Tool for the same. In order to integrate it with SDLC, we set it up as a proxy server which Developers/QA engineers have to use while doing their usual sanity or QA tests. They need to just plug in the proxy scanner IP on their local machines and that’s it! Mobile applications have the proxy integrated into the build itself.

And in this way, the proxy scanner server will perform automated security scanning and report the vulnerabilities in the testing phase. While this goes for automated scanning, we give the same focus to manual security testing which is carried out weekly when our releases are going through regression testing.

Having a security testing during the QA phase will not only reduce the vulnerable sphere at the initial phase itself but also reduce the time/efforts spent later. We are expecting to find 70% vulnerabilities using this approach for any particular release.

Continuous Application Security

Application security testing should be a regular process instead of being a one time task. To make this a continuous process, we have scheduled regular application scanning of our domains and subdomains based on the application nature. For example, a B2C application is scanned monthly while an internal application goes through automated scanning quarterly.

Apart from the usual application vulnerabilities, we have in-house developed scripts which run weekly to check for common loopholes/mistakes (manual errors) like S3 bucket containing sensitive data made public, Git repo left with public access, unused CNAME to prevent subdomain takeover, sensitive ports left open on machines.

Automation in Web Application Firewall (WAF)

To protect our application from web application attacks, DDoS and bots, we brought in WAF in our environment. After some testing on our staging environment, monitoring it for anomalies and false positives, whitelisting, and setting up required rules etc, we rolled it out to production. The important thing for us to take care of was to minimize the false positives so that the firewall don’t block an actual user based on it’s blocking rules. We tried doing this by having a manual review for each IP blocked by WAF, which were extracted from the HTTP logs and checking the IP reputation.

This worked but to keep doing it manually would be very time consuming. To address this, we developed scripts which do the following in an automated manner:

IP reputation review (gathering data from DNSBL Information)
Whether any user account exist from the IP in grofers app

and some more factors.

Based on these, we generate a score which can be used for differentiating between an attacker incident and normal user and whether or not we should block the IP/user. Implementing WAF proved to be of great impact to us as we saw a significant decrease in web application attacks, scraping and bots.

What next?

As we scale up our platform, bringing more and more technologies into system, the chances of having a security loophole become more and more real and hence the challenges to keep our infrastructure secure. Since security is a continuous process, we continue working towards strengthening the security of our infrastructure and apps through tools and processes. Keep following us at https://lambda.grofers.com to know more about them. Stay tuned!

About the Author:

I am working as an Information Security Engineer in an e-commerce, having total of 3 years experience in the infosec field. I'm also a part time bugbounty hunter - acknowledged by various MNCs and some top companies of India. I am also an active blogger on Medium where I write about interesting vulnerabilities that I find on my bugbounty journeys. Some of the articles have been published in various Security magazines and newsletters like Hackerone etc.

Managing application security, performing penetration testing, hardening network and infrastructure, and automating security tasks to reduce manual effort are some of the things I take care of on a daily basis.

Author Links:

https://medium.com/@logicbomb_1

https://twitter.com/@logicbomb_1

https://lambda.grofers.com

Grofers is an Indian online grocery delivery service. It was founded in December 2013 and is based out of Gurugram

August 24, 2018

Author

Hakin9 TEAM: Hakin9 is a monthly magazine dedicated to hacking and cybersecurity. In every edition, we try to focus on different approaches to show various techniques - defensive and offensive. This knowledge will help you understand how most popular attacks are performed and how to protect your data from them. Our tutorials, case studies and online courses will prepare you for the upcoming, potential threats in the cyber security world. We collaborate with many individuals and universities and public institutions, but also with companies such as Xento Systems, CATO Networks, EY, CIPHER Intelligence LAB, redBorder, TSG, and others.

Latest Articles

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments

Inline Feedbacks

View all comments

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

How We Improved Information Security at Grofers by Avinash Jain

Security Awareness Program

Integration of Security Testing in SDLC

Continuous Application Security

Automation in Web Application Firewall (WAF)