Starting December 2020, all new product and new features (e.g. new API) will be required to pass the initial security screening before deployment. This initiative is one of the efforts to make our products safer for customer and to avoid financial loss or reputation damage for the company. Vulnerability assessment during software testing will be integrated with future Secure SDLC process in 2021 that will encompass security in full-cycle of software development.
So far, the security of our products relies on 5 things:
We want to make the point 5 mandatory rather than optional. This will be a part of future plan for Secure SDLC in Traveloka.
Why this is mandatory just now?
Our internal and external security researchers have identified many vulnerabilities on products or features that are deployed without security review. Some of them are deployed in 2020 and serious enough with potential serious impact (e.g. financial loss, data leak). We want to prevent the worst case by making initial security screening mandatory as soon as possible. Previously, our plan is to make it mandatory when we already start the Secure SDLC process along with other initiatives such as secure coding guidelines, threat modelling, and automated security testing in CI/CD.
When do I need to request for a vulnerability assessment?
Before you deploy a new product, new feature, new system, new API, or major change.
I need the assessment to be faster than 7 business days
Please mention it in the form and discuss with us during the follow-up.
What are the expected results of the assessment?
We will try to look for potential security vulnerabilities based on our Traveloka Software Vulnerability Classification and industry standard (e.g. OWASP Top 10, CWE). We will also try to identify security misconfiguration or missing best practices.
How do we make a call that the asset passes a vulnerability assessment?
We use Traveloka Vulnerability Risk Rating Calculator to calculate the severity of an issue. All S0 (Critical), S1 (High), and S2 (Medium) issues need to be resolved to pass the assessment.
If an asset passes the vulnerability assessment, is it 100% secure?
There is no such thing as 100% secure. There are many factors that can make security vulnerabilities missed during the assessment. To overcome this problem, we have a multi layer of efforts to secure our products. For instance, after a new API is deployed to the production, we can protect it with WAF and we will still try to hack it through continuous security research by internal and external security researchers.
What if I skip the vulnerability assessment?
All assets in the production environment are considered the target of real cyber criminals. Skipping the assessment can make your asset more likely to be exploitable. If your team skips mandatory assessment, we will send you a reminder to request for assessment before deployment next time. If your team skips the assessment multiple times, the issue will be escalated to the senior leader of BU.
What about previously deployed asset that is never reviewed by Product Security Team?
We have internal security researchers and external security researchers that will continuously hunt security issues on live/production environment. However, preventing security issues since development phase is a better practice to avoid the chance of someone else exploiting the vulnerability when it’s too late.
I need a report document to be submitted for the auditor/partner
By default we will not provide the report document as we will only focus on tracking the identified issue and help for remediation. If you need one, please mention it in the request form or discuss with us during the follow-up.
What about risk & compliance assessment?
Risk & compliance assessment has a different approach with vulnerability assessment (e.g. related to PDPA, GDPR, PCI-DSS, or ISO-27001). Depending on the nature of your engineering asset, you may need a risk & compliance assessment. Please contact @Johaness (GRC) for consultation.
What about vendor security assessment?
In normal situations, we can’t test our vendor security because of ethics and regulation except if their product is open source. We can verify them by sending questionnaires and reviewing their claim related to security. Please use Security Assessment - Vendor Security Verification form for this.
I want security review not only during testing but also during planning, design, and integrated with CI/CD.
This is the future plan of Traveloka Secure SDLC. Secure SDLC requires careful planning and effective strategy to avoid problems such as wasting time/money due to irrelevant approaches or ineffective third-party automated security testing tools.