How Trendyol, a decacorn
e-commerce company uses Kondukto for security automation

The Challenges

• There was not enoughsecurity automationto catch up with the speed of software development.
• Lack of visibilitymade it difficult to assess the effectiveness of AppSec program.
• Lack of orchestrationmade it difficult to put the pieces together.

About Trendyol

Founded in 2010, Trendyol has grown to be the largeste-commerce companyin Turkey by reaching the decacorn status in 2021. After the investment of Alibaba in 2018, the company also started to serve in many European countries and expanded into new lines of business such assecond-hand clothingandon-demand delivery.Massive operations and rapid growth of the tech team required an efficient and scalable AppSec program to keep up with the speed of company growth accompanied by a proliferation of applications.

The Situation

With development teams growing each day, it was frustrating for security teams to make sure applications were shipped to production without exploitable vulnerabilities. Manual processes weretime-consumingand with security and development teams working in silos, thelack of collaborationhindered security from being an integral part of software development processes.

A plethora of findings discovered byvarious automated toolsandmanual activitieswere scattered across different interfaces which werechallenging for the security teamto keep up with.

That is when our paths crossed with Trendyol security team and with their vision to support promising start-ups in the security space, we started working together to find creative solutions to their problems.

Our Approach

• 1In the beginning, to prevent losing time with manual scans,all scanners of Trendyol were connected with Konduktoplatform to trigger scans in an automated fashion using the scheduler of Kondukto and the CLI to trigger scans within pipelines.
• 2To enable aself-service security approach,new applications created by development teams wereautomatically pushed from the source code management toolto Kondukto through CLI. This way security teams did not have to deal with creating new applications on security tools each time a new application was created on the source code management tool.
• 3Variousopen source security toolsthat come out of the box with Kondukto were also used in the process before Trendyol made an investment in commercial alternatives. These open source tools were alsocustomized based on Trendyol’s needs to keepthe spotlight on the prioritized vulnerability types.
• 4 For grouping applications based on their risk profile,applications were labeledon Konduktobased on the threat modeling questionnairefilled out by development teams.Different automation rules were createdfor different labels as applications with high-risk profiles required more immediate attention than others.

Results

• Creating a CI/CD pipelinewhere each security test is run through Kondukto CLI has quickly made manual scans redundant and security has become an integral part of pipelines for more than 3.000 applications.
• Security and development teams areinstantly notified about scan resultson their Slack channels to make sure no critical vulnerability goes unnoticed.
• Combining the results of automated toolswith vulnerabilities discovered in manual activities such as penetration tests, manual reviews and bug bounty programs,overall security posture can easily be tracked on a single platformwhere development and security teams can speak the same language.
• Tickets are created on the Jira boards of developers by security teams through Kondukto UI and remediation metrics can also be measured to decide if everything is on the right track. When a developer closes an issue, Konduktoautomatically runs a validation scanandreopens the issue if the vulnerability is rediscoveredby the scanner.
• To prevent recurring vulnerabilities in the future,developers are assigned personalized secure coding courseson Codebashing through Kondukto UI after analyzing the types of vulnerabilities introduced into the source code by each developer.
• Using this risk-based approach to create separate automation rules for different applications, Kondukto,security teams made sure they quickly raised the flag for vulnerabilitiesthat posed a real threatwith minimum human effort.
• Using all the orchestration and automation capabilities of Kondukto, Trendyol made strides increating a scalable and automated AppSec program that is developer-friendlyat the same time.