How Ola boosts security with vulnerability management tool

Today’s threat landscape is so advanced and terrifying that cybersecurity is no more an afterthought for big or small companies.

Research firm Gartner predicts that global cybersecurity spending will reach USD 86.4 billion in 2017, and is expected to grow to USD 93 billion in 2018.

Ola is one of India’s largest and most popular platforms for ridesharing that allows customers to book cabs, bikes, shuttles, and autos using a mobile application. The Bangalore-based company wanted a robust security tool that would bridge the gap between the security team, developers, QA, TPMS and senior management to have clearer insights and visibility into the security hygiene of the company, and allow continuous integration and fast paced deployments throughout the day.

 Integration made easy

The organization developed Jackhammer, a collaboration tool with an inbuilt vulnerability management capability, which could also do static and dynamic code analysis. Ola’s security engineering team built the whole project from scratch.

Mohd. Shadab Siddiqui, head-Security at Ola, is confident that the suite is capable of analyzing code, web apps, mobile apps, network, and content management systems via combinations of various proven tools. “It also uses machine learning and the reports generated are available to developers or security teams so that users get a comprehensive view of what their business unit looks like in terms of security,” he says.

Highlighting one of the best features of the suite, he points out, “The tool is easy to understand regardless of who you are: Developers, QA, senior leadership or security team.”

It is also allows scalability and it’s capable of integrating new tools. “We have a dockerized orchestrator model where a user can individually scale the tools plugged into the suite and the orchestrator automatically load-balances the tools via maintaining a whole registry and therefore the scans are all running in concurrent mode. Moreover, every tool runs in its own sandboxed environment so that the user need not worry about any conflicts of tools and environments,” Siddiqui explains. 

Standardized security

“The suite plugs into the CI systems and Git via hooks, so that the user has complete control over changes taking place in the repository. The entire suite is designed to make security a standard, he points out.

As it is an open-source platform, security engineers as well as senior leadership can have a view of everything going on within the organization.

Also, it is integrated with advance alert systems that can send alerts in the form of SMS, email, Slack, and Pagerduty, etc.

“It has an integrated vulnerability manager, which can be plugged in to ticketing systems like Jira so that nothing slips through the cracks,” adds Siddiqui.