Application Security Controls To Secure 90+ Million Active Users Data
Prioritization in application security might take a more significant portion for an organization that has fewer resources.
As an Indonesian technology company serving more than 90 million monthly active users across over 97% of districts in Indonesia with more than 8.1 million merchants on the platform, security is a no-brainer for Tokopedia. For us, application security is paramount as one of the mandatory requirements to be followed by relevant team members from the design phase until the release. We believe that being proactive in devising application security controls is imperative in every phase of application development.
Several application security controls are possible to implement in the application and the third-party libraries. Most of the controls are validated through automatic or manual testing. At Tokopedia, we build the application in-house. Thus, our application security testing can touch the source code level. Our Continuous Integration and Continuous Delivery (CI/CD) platform have included Static Application Security Testing which enables our capabilities in identifying potential vulnerabilities in the application before its release automatically. The Dynamic Application Security Testing takes a role as well to identify the vulnerabilities of built applications.
Prior to testing, the preventive application security controls should exist in the design phase. We simplify standard Threat Modelling methodology to align with the applicable practices in the company and to ease the culture infusion. The objective of our Threat Modelling is to get the list of security standards that can be leveraged by the architecture or the engineer teams. The model uses the S.T.R.I.D.E approach to identify possible risks according to application features. S.T.R.I.D.E stands for Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege.
After the application is developed and automatic testing has been done, there is no single assurance that the application has no vulnerability. Manual testing is necessary to complement the process of vulnerability identification. The testing is known as penetration testing in which an internal or external team can do the testing. It is advised to get the penetration testing service from the external party. The frequency might be lower compared to the testing performed by the internal team. The main reason why the external penetration testing service should be available is that an independent party might be less biased in the identification process compared to internal testing, which has worked multiple similar testings. The external party involvement in the vulnerability identification might be possible to get through a bug bounty program. The program has helped us remediate the unique and complex vulnerabilities.
Prioritization in application security might take a more significant portion for an organization that has fewer resources. The high priority could fall into processes related to the transaction and personally identifiable information (PII). Without proper prioritization, the application security might not be done effectively and tend to overwhelm the involved resources in improving the application security level.
In summary, we apply application security controls in every phase of the application development, from the design phase until the development and testing phases. Even though the application has been released, the control should still be available to ensure we could respond to any threats effectively.