Skroutz’s Secure Coding Sessions

People
Mar 11, 2024

Have you ever felt that an online shopping website does not look so secure and makes you think twice before you enter your card details on checkout?

Have you ever wondered what it takes for us to write a code on Skroutz that is not only functional but also provides users with maximum security? In an online shopping world where you don’t know what goes on the other end of your cable or your Wi-Fi/4G/5G, we make sure that you’ll never find yourself in a similar situation. In an online neighborhood where we hear everyday of hacks in large and/or global companies, we deliberately avoid getting on the front page…Enter Skroutz’s secure coding sessions….

The  Hows and Whys

Skroutz’s Application Security team has hosted 5 Secure Coding Sessions day events for the entire Product Engineering function, aiming to train the people who are, on a daily basis, behind the creation of our favorite product – https://www.skroutz.gr.

The goal was for us to become more familiar with the actual vulnerabilities we have faced in the past 2 years in connection with our code, understand how and why they work, see live how an aspiring hacker targets and exploits these vulnerabilities as well as how these are resolved (aka best practices).

Secure Coding sessions, the modules

The Modules 

Each session was divided in 3 modules:

  • Secure Coding: Skroutz Top 10 Vulnerabilities
  • From Theory to Practice: Hands-on Hacking Lab
  • Capture The Flag: Our Engineers are hacking

In the first module, we focused at a theoretical and practical level on the 10 most important vulnerabilities we have “unearthed” on Skroutz, the impact they would have if someone took advantage of them by analysing parallel code segments and flows, as well as on how we discovered and “unrooted” them.

In the second module, we shared hacking techniques and tools so that we could take advantage of the vulnerabilities and reproduce scenarios that could happen in reality. What could have happened had these not been resolved? Scenarios concerning sensitive personal data leaks, malicious code execution, monitoring software installation, financial losses and anything you can imagine.

In the third and last module, the participants pretended to be fledgling aspiring hackers. One set of 10 coding and hacking challenges was given related to what we had already watched and discussed in the previous modules, together with a reward for the best hacker of the session. We created a platform for this purpose and each player collected points in order to unlock the secret code.

Secure coding sessions

The Experience

So many teams – Content, Marketplace, Mobile, Growth, Discovery, Partners, Kernel, Payments, Warehouse, SLM etc. – and so many different approaches, knowledge, ideas, mindsets, concerns came together in the classroom, sharing their perspectives on what we had discussed. Each session was dynamic and each query was unique and from a different standpoint.

Pieces of knowledge fitted together as a puzzle in order to build our common mission: For all of us to have a more secure product and be in a position to offer an outstanding user experience in every market.

We realized from first-hand experience how important the code added to each new feature is and we acquired knowledge on how to ensure the integrity of each buying experience. The participants can sleep now feeling more secure.

Our favorite moment: When extra time was requested in the hacking challenges and we actually exceeded 5 hours per session.

What was the feedback? All of us (literally) would recommend this session to developers and engineers. That’s a big win! 

Our favorite moment: When extra time was requested in the hacking challenges and we actually exceeded 5 hours per session.

Next steps

As we are looking into our crystal ball which gives us insight into the code’s world of magic, we get words and phrases such as Android, iOS, Social Engineering, Infrastructure and Cloud Security. These are not just fleeting concepts, they are our vehicle for the following Training Sessions.

Hackers are not wizards and witches and all it takes is for us to know what’s behind their tricks in order to expose them. We are here to make this happen! 

George Tsigourakos 

George is an Application Security Team Leader at Skroutz. He began his career as a Developer and Full Stack Engineer, spending the first 5 years immersed in various programming languages and technologies. Eventually, he found himself drawn to deconstructing code rather than building it.

Following his undergraduate studies at the Department of Computer Science and Telecommunications at Kapodistrian University of Athens, and postgraduate studies in Information Systems Security at Athens University of Economics and Business, he decided to pivot his career path.

Before transitioning into Cyber Security, George chose to specialize in the field by obtaining 6 notable certifications, including Offensive Security Certified Professional (OSCP), Wireless Professional (OSWP), and Web Expert (OSWE). Additionally, he ranks among the top 160 Certified Information Systems Security Professionals (CISSP) in Greece and continually pursues further certifications.

For the past 5 years, George has been actively engaged in Cyber Security, initially serving as an Information Security Engineer at the Insurance Group Evropaïki Pisti / Allianz. In early 2021, he joined the Skroutz team, initially as a Security Engineer and later advancing to the role of Team Leader.

Related Articles
Skroutz-6 years in 500..ish words
People
Apr 9, 2024

6 years in 500..ish words

It all started in February 2018 (milestone for my growth journey at Skroutz) at the bright and breezy open space  offices of Skroutz in Nea Ionia.
Skroutz-Compassionate Leadership: Redefining Success
Career
Jan 18, 2024

Compassionate Leadership: Redefining Success

Today's leaders are discovering the transformative power of compassionate leadership—a set of qualities that extend beyond the traditional metrics of success and lead to more engaged teams, healthier work cultures, and sustainable growth.
Skroutz-Continuous Performance Management: The Skroutz way
Career
May 7, 2023

Continuous Performance Management: The Skroutz way

CPM. These are just 3 letters you may say, but these 3 letters symbolise the way we do performance management and development at Skroutz.
All articles