AppSec Challenges and How We Do It

Wait, first - what’s AppSec?

AppSec is the shorthand for Application Security. Which means to make sure that the monday.com platform is running secure software so that our customers’ data that is stored on monday.com is safe.

 

That doesn’t sound too difficult - what are the challenges?

Well, there are a whole bunch of challenges here. One of which is the fact that while developers do a fantastic job - sometimes there are bugs, and sometimes these bugs can become vulnerabilities that can lead to things going wrong.

Another challenge is running security at scale - how to make sure security is implemented all around when we’re a super-fast paced company in constant growth.

 

So, how do you do it?

First, like many companies, we’ve implemented an S-SDLC (Secure Software Development Life Cycle). 

Our S-SDLC includes, but is not limited to:

• Training developers
• Security design review (aka threat modeling)
• Peer review for every piece of software written in monday.com
• Security tools running on our PRs, such as (but not limited to):
  • Dangeroid (looks for dangerous patterns or cases that require more attention)
  • SAST (static code analysis)
  • Secret scanner (search for passwords or tokens in our code)
  • SCA (check for vulnerable open source dependencies)

 

While we still have much more to improve in the scaling landscape, we automate as much of our process as possible. Also, the monday.com way is that even the newest developer takes responsibility for the code they write. So, while we have training for all developers - it’s their responsibility to attend and implement what they’ve learnt. The AppSec team is in daily contact with all R&D domains - but we expect (and they do) the teams to come to us for a review and to discuss the most secure way to implement their project.

 

Also, by running the tools in the pipeline - the developers get immediate feedback and can fix their code/dependencies before reaching the peer review, and thus saving 🕜 and 💰.

 

What else does AppSec do in monday.com?

Well, as the guardians of our platform, we handle a few more super interesting tasks that keep us on edge. These include:

 

Bug Bounty

monday.com maintains a private bug bounty program  where we allow hackers to try and find vulnerabilities in our software. The AppSec team is the one that manages the program (putting out campaigns for specific vulnerabilities or features, hacker engagement, and more), reviews the findings (understand, reproduce, prioritize, etc), and take the vulnerabilities from end-to-end with the development teams to get it fixed and pay the hackers for their valuable findings and improvement of our platform.

 

Penetration Testing

In addition to the automatic testing and bug bounty on our platform, we also engage with a professional team of pen-testers who dig deep into our platform, sometimes with some gray-box testing where we give them some pointers on how we’ve implemented our features. This allows skipping some of the reconnaissance required during an attack and allowing deeper and more focused testing.

 

Anomaly & Abuse Detection

Together with our Data Security team, we identify the misuses of our amazing platform by malicious actors. These include opening accounts to send out spam utilizing our notification system, phishing attempts with our WorkForms, and more. We can identify where things go differently than we expected and catch bugs/vulnerabilities early on.

 

Incident Response Team

Unfortunately, we have software bugs and vulnerabilities. Sometimes, these vulnerabilities actually caused some security measures to fail and maybe a user was able to perform an action they shouldn’t have or see data they don’t have access to. These are referred to as security or privacy incidents.

The AppSec team leads the Incident Response Team for such incidents on our platform. This includes coordinating with R&D for investigation and fixing, working with the Privacy team and CX to communicate with the affected cust