Zoopla Turns to Rapid7 InsightAppSec to Help Hundreds of Developers Secure Their Applications
关于Zoopla
Zoopla is a real estate portal for property buyers, sellers 和 租房者 based in London, Engl和. The company has about 750 employees 和 lists over a million properties in the United Kingdom 和 the Netherl和s. It offers property research 和 sales 和 rental listings to help buyers, 租房者, l和lords 和 real estate professionals make informed decisions.
Zoolpa’s flagship property website 和 application register more than 60 million visits a month. The company works with several hundred application developers, helping real estate agents to kick start a business. “We help them create their own website 和 offer them training,Alikhan Uzakov解释道, 应用安全工程师. “Zoopla is a much wider business than just one website.”
挑战
The most critical challenge Uzakov 和 his security team faces day-to-day is trying to serve the developers. “We’re a staff of three; there are just not enough of us to support hundreds of developers.”
Uzakov is responsible for guiding Zoopla developers through the application security testing process. As part of the Product 和 Technology team he focuses on application 和 infrastructure security. 他和开发人员一起工作, 进行培训, 和 helping them to embed security tooling into their processes to ensure security testing of the new features 和 products before they are released to the public.
解决方案
Given the sheer number of developers, only a highly scaled 和 automated approach will work. Uzakov had previous experience with Rapid7 InsightAppSec, Rapid7安全套件的一部分, providing 动态应用程序安全测试 (DAST). Even so, he put the tool through a trial to ensure it met Zoopla’s specific requirements. 他的团队进行了测试, evaluated 和 compared several appsec tools based on Zoopla’s criteria of price, functionality 和 the level of support vendors provided. They chose InsightAppSec because it met all their requirements.
授权开发人员,简化补救
The Zoopla team uses InsightAppSec to automate security testing as part of the development process. It enables his team to automatically assess modern web apps 和 APIs with fewer false positives 和 missed vulnerabilities. They can fast-track fixes with rich reporting 和 integrations 和 inform compliance 和 development stakeholders. And they can scale easily by assessing the security of an application portfolio, 不管它的大小. InsightAppSec also enables them to scan web applications to identify vulnerabilities like SQL Injection, XSS, 和CSRF.
“We try to help everyone, but we cannot be everywhere,” Uzakov says. “We started using Rapid7 InsightAppSec so we could impact our organization on a larger scale. "It's interface is intuitive 和 doesn't require much training, so I can give the developers the access they need to InsightAppSec to do security testing themselves.”
加强与所有利益攸关方的协调
"Our work is heavily influenced by other departments, 无论是法律还是IT, 以及我们的外部客户, 所以我们尽量避免在竖井里工作,乌扎科夫解释道. “One thing that helped quite a lot is general awareness. We are demonstrating InsightAppSec to developers in engineering meetups. I explain what it can help with; what it can do, 和 what it cannot do.” The response from developers has been very positive. In fact, several teams have asked to embed InsightAppSec in their project.
节省时间和金钱
InsightAppSec also provides Uzakov 和 his team with a more efficient way to do penetration testing, 节省时间和金钱. "One of our approaches to AppSec is to invest in areas that pay a high return on investment. By simulating an attack on our applications with InsightAppSec we are able to identify vulnerabilities before a penetration test. This allows us to reduce the scope of the penetration test by remediating issues before 和 having more focus."
可操作的 & 准确的见解, 集成的工作流, 和 fast remediation for all modern web applications 和 apis
