How Photobox transformed security into an enabler for faster product development

Photobox’s security challenges

Product security and security trends

Photobox is based within the e-commerce space of gift-giving. As a result, their websites and applications constantly go through seasonal changes, and their brand portfolio and application scopes are continually expanding. Michelle Tolmey, Director of Information Security at Photobox, leads a small but effective security engineering team responsible for keeping up with ever-changing security trends and ensuring their products are constantly secure.

Balancing fast product development and security

Due to rapid product delivery, Photobox needed to ensure product security that saw security function as an enabler instead of a blocker. The organization constantly handles multiple teams and works directly with the technical operations and site reliability teams, who are the most significant users of Detectify.

A continuously changing environment

Michelle joined Photobox in March 2020 and has focused on ensuring the security team is delivering projects that improve not only the security of the business but improve the visibility and trust of the security team. The key to her success was streamlining secure delivery methods and implementing tools such as Detectify to help the rapid deployment of security tools and solutions.

During 2020, most companies underwent budget freezes due to the emerging covid-19 pandemic, and Photobox was no exception. As a result, the organization relied heavily on finding valuable, open-source software to solve visibility problems and to be able to scan for the latest and newest security vulnerabilities.

Five ways Photobox uses Detectify

1. Coverage and automation of newest security vulnerabilities

When Photobox was looking at gaps in their solutions, what stood out most was that Detectify products benefit from the power of crowdsourced security research to help find the newest security vulnerabilities. “We wanted something not only automated but had people behind it to continually add the latest vulnerabilities. That’s where the true value lies,” says Sonya Moisset, Senior Security Engineer at Photobox.

Sonya understood that crowdsourced ethical hacking research could far outpace open source tools, and having the combination of new research and automation from Detectify was vital.

2. Easy implementation and comprehensive information

Photobox uses a combination of Application Scanning and Surface Monitoring for their public-facing applications. They were impressed by how simple the implementation was and how digestible the information is for their teams. “Implementation was practically seamless. Turn it on and let it go,” says Michelle.

3. Smooth vulnerability escalation and prioritization

When Photobox is alerted to new critical vulnerabilities, they treat them as a top priority. Due to specific peak periods and change freezes, security must take a pragmatic approach to what vulnerabilities need to be prioritized to avoid slowing down product development.

Using Detectify’s integrations to Jira, Slack, and email enables Photobox to prioritize faster and fix bugs with the most critical impact. Using these tools along with the inbuilt alerts and collaborative approaches such as open forum discussions allow the security team to help keep security improvements at the forefront.

4. Continuous feedback loop

Photobox uses vulnerability insights directly from Detectify and shares them with their Site Reliability Team (SRE). The vulnerabilities view gave immediate oversight to the status of their applications and they were able to provide valuable feedback on filtering which was quickly implemented into the UI by Detectify.

5. Improved visibility

Having security vulnerabilities visible and updated in the Detectify tool means that Photobox teams can take ownership and quickly remediate them. Detectify has helped the SRE team identify vulnerabilities quickly, fix things faster, and spend more time delivering products.

Michelle can also report vulnerabilities and their fixes to senior stakeholders. “Granting access to the platform for the SRE team allowed them to take control of their own workload, without security becoming a bottleneck. We plan to take the same approach with our engineering teams,” says Michelle.

How Photobox chooses security products

Photobox introduces new tools to solve existing problems and regularly meets at their Weekly Technology Forum. They trial new products, get demos and then present them to the teams.

From there, they can ask questions and get buy-in from the organization and openly discuss how it would change or impact other teams. Once the forum agrees on the buy-in, it is put forward to budgeting and subsequently approved.

Sonya presents all the details of any new security products. Depending on the project, she collaborates with Photobox Engineers and TechOps Teams to implement new tools within their C/ICD pipelines to avoid silos. This collaborative approach helps both the engineering and security teams to understand the mutual benefits of security.

“We are fortunate that the engineering managers get security, as they see a mutual benefit in having these tools in place,” says Michelle.

Results: Main benefits that Detectify brings

Discovering hidden subdomain vulnerabilities

For Photobox, discovering the number of subdomains that existed was an eye-opener. Using Surface Monitoring allowed them to identify and remediate abandonware that was never being audited, checked, or shut down. “With Surface Monitoring, we found subdomains we didn’t know we had. Not only would we likely not have found these subdomains, but we also wouldn’t have known about them until someone did something really nasty on one of them and held us to ransom over it. The money we spent on Detectify for that alone is value for money,” says Michelle.

A constant stream of new vulnerabilities from Crowdsource

Sonya finds it valuable that Detectify’s tools are constantly updated by Crowdsource and have fast turnaround times when new critical vulnerabilities are discovered. Surface Monitoring is continually checking Photobox’s exposed assets for new weaknesses, and their application scanning is being automated with Application Scanning.

"With Surface Monitoring, we found subdomains we didn’t know we had. Not only would we likely not have found these subdomains, but we also wouldn’t have known about them until someone did something really nasty on one of them and held us to ransom over it."

Accurate and transparent reporting

With reporting being central to Michelle’s communications to the engineering and upper management teams, she has peace of mind knowing that the information from Detectify is accurate and constantly up to date. She can share access to Detectify with teams who are granted autonomy to solve issues when they occur.

Best security practices

Michelle’s security tip

Security needs to be pragmatic, it needs to be seen as a business enabler not as a blocker to be taken seriously. However, pragmatism does not mean undermining the importance of security.

Sonya’s security tip

Open source tools can solve most of your problems, but it’s not always easy to find the right one. However, it's essential to understand how the tools are maintained and who is knowledgeable enough to keep using them, making sure tools are constantly updated. Having a mixture of tools (open-source, in-house, and 3rd party) for your unique uses strikes an optimal balance.