Security Tech Blog Series: Spring Cleaning for Security

Hi everyone, this is Jason from the Security Strategy team at Mercari.
In this quick article, I’ll be introducing our upcoming springtime blog series on technical security initiatives at Mercari.

Over the last year, the security team at Mercari has been involved in a wide range of initiatives as the company has continued to evolve and grow.
The number of businesses and technical areas we are covering has increased vastly over the last few years, and our team has continued to adapt and change to cover these demands.

Expanding the functionality of our internal SOAR (security orchestration, automation, and response) system, rolling out new controls for a more secure remote work environment, weaving SAST (static application security testing), DAST (dynamic application security testing) and SCA (software component analysis) tools into our CI pipelines, updating and revamping our vulnerability disclosure programme, running a group-wide security champion programme, delving into chaos security, improving our overall supply chain security in response to a compromise of our code-base via a third party tool last year; indeed, there is no shortage of topics for the security team to put pen to paper!

While it’s impossible for us to cover everything, in this short series of blog posts we would like to share with you a few of the key initiatives that the Security Engineering and Product Security teams have been working on in the last year.
We hope you find them interesting and that they can help provide a reference for technical security initiatives you can work on yourself.

It’s been a while since we posted a blog and with so many things to post it’s time for a little spring cleaning.

Introducing the Teams

First, before introducing the blog topics, let’s introduce the teams!

introducing the teams

Security Engineering Team:

The Security Engineering Team at Mercari has a wide range of responsibilities.
These responsibilities can be split into roughly three categories: production & infrastructure security, corporate IT security, and detection & monitoring.

On the production & infrastructure security side, the team works closely with the Microservice Platform Team, SRE, and other engineering teams, helping to define the necessary security requirements for the services we are building.
The team reviews architecture proposals, such as infrastructure and information flows, and proposes security controls to help minimize risks in these systems.
The team also conducts vulnerability assessments and penetration testing on Mercari’s production and corporate infrastructure, as well as developing technical solutions and automation for security controls.

On the corporate IT security side, the team works to assess risks related to the security of the corporate IT environment. This includes defining the requirements for security measures, ensuring consistency with security policies, and designing and implementing security controls for Mercari’s corporate environment.

Last but not least, the detection / monitoring side is responsible for the development of Mercari’s in-house SOAR system, monitoring, investigating, and analyzing security event logs to protect Mercari’s production and corporate infrastructure. The team writes workflows as code to automate remediation and incident response, conducts forensics as part of Mercari’s incident response team, and takes on other initiatives to improve Mercari’s overall security posture.

Product Security Team:

The Product Security Team ensures that Mercari products meet security requirements and investigates, tracks, and assists in fixing security issues.
The team strives to be a business enabler working on a variety of tasks and applying a risk-based approach to security-related decision making.
Team members are responsible for eliciting and communicating security requirements to product teams, performing threat modeling, design reviews, and security testing.
As part of this they evaluate, design, develop, and deploy automated security assessment solutions (SAST, DAST, SCA, etc.) to further assure the security of Mercari’s development lifecycle.

The Product Security Team also works together with the Security Strategy Team to drive Mercari’s Security Champion Program and other engineer oriented security education initiatives. This ensures a shift-left approach to security where security is addressed early and often in the SDLC, ensuring a cost effective approach to security where it is built in from the requirements and design phase and reviewed all the way up to release. Perhaps most importantly, this ensures a workplace where security is part of the culture and everyone is keen to keep the security of their products up to scratch!

Security Strategy Team:

Finally, the Security Strategy Team acts as a technical program management organization and driver for security initiatives across the Mercari Group. Working closely with both the Security Engineering and Product Security teams to define and communicate security requirements clearly to stakeholders, ensuring that key security projects remain on track and produce meaningful outcomes, and collaborating with other teams group-wide to build the Mercari Group’s overarching security strategy and culture.
Basically we’re the closest thing to extroverts in the team – and the ones behind the idea for this tech blog series too!
We’re also building a budding security metrics programme that we hope to share when it’s a bit more mature in a future blog article!

Introducing the Blogs

Now you know a bit more about the teams, here’s a cheeky peek of the topics the Security Engineering and Product Security teams will be writing about over the next few months:

Topics Authors
Threat modeling at Mercari(日本語/Japanese) Gloria Chow (Product Security)
Detection engineering and SOAR (security orchestration, automation, and response) at Mercari (日本語/Japanese) David Chapdelaine (Security Engineering)
Terraform CI code execution restrictions (日本語/Japanese) Maximilian Frank (Security Engineering)
Suspecting the Unsuspected. Extracting and Analyzing Log Anomalies Simon Giroux (Security Engineering)
Securing the SDLC at Mercari: Solutions for Automated Code Scanning Shaokang Sun (Product Security / Security Engineering)
The Mobile Attack Surface at Mercari Azeem Ilyas (Product Security)
Who Watches the Watchmen? Keeping an Eye on Our Monitoring Systems Anna Simon(Security Engineering)
Decrypting Cryptography Basics: Practical Exercises to Fathom Theory (Part 1) Josh Wiliams (Product Security)
Decrypting Cryptography Basics: Practical Exercises to Fathom Theory (Part 2) Josh Wiliams (Product Security)

We hope you’ll enjoy our blog series and that it provides some insight into what the Product Security and Security Engineering teams are up to at Mercari!

If we see a lot of interest in the articles we will continue to put out more periodic content about the engineering side of security at Mercari.

If our blog post piqued your interest, why not apply for a job on the Security team?
Check out the positions we have open below!
https://careers.mercari.com/job-categories/security-privacy/