Zoopla is a real estate portal for property buyers, sellers and renters based in London, England. The company has about 750 employees and lists over a million properties in the United Kingdom and the Netherlands. It offers property research and sales and rental listings to help buyers, renters, landlords and real estate professionals make informed decisions.
Zoolpa’s flagship property website and application register more than 60 million visits a month. The company works with several hundred application developers, helping real estate agents to kick start a business. “We help them create their own website and offer them training,” explains Alikhan Uzakov, Application Security Engineer. “Zoopla is a much wider business than just one website.”
The most critical challenge Uzakov and his security team faces day-to-day is trying to serve the developers. “We’re a staff of three; there are just not enough of us to support hundreds of developers.”
Uzakov is responsible for guiding Zoopla developers through the application security testing process. As part of the Product and Technology team he focuses on application and infrastructure security. He works with developers, conducting training, and helping them to embed security tooling into their processes to ensure security testing of the new features and products before they are released to the public.
Given the sheer number of developers, only a highly scaled and automated approach will work. Uzakov had previous experience with Rapid7 InsightAppSec, part of Rapid7's security suite, providing Dynamic Application Security Testing (DAST). Even so, he put the tool through a trial to ensure it met Zoopla’s specific requirements. His team tested, evaluated and compared several appsec tools based on Zoopla’s criteria of price, functionality and the level of support vendors provided. They chose InsightAppSec because it met all their requirements.
The Zoopla team uses InsightAppSec to automate security testing as part of the development process. It enables his team to automatically assess modern web apps and APIs with fewer false positives and missed vulnerabilities. They can fast-track fixes with rich reporting and integrations and inform compliance and development stakeholders. And they can scale easily by assessing the security of an application portfolio, regardless of its size. InsightAppSec also enables them to scan web applications to identify vulnerabilities like SQL Injection, XSS, and CSRF.
“We try to help everyone, but we cannot be everywhere,” Uzakov says. “We started using Rapid7 InsightAppSec so we could impact our organization on a larger scale. "It's interface is intuitive and doesn't require much training, so I can give the developers the access they need to InsightAppSec to do security testing themselves.”
"Our work is heavily influenced by other departments, whether that’s Legal or IT, as well as our external customers, so we try to avoid working in a silo,” explains Uzakov. “One thing that helped quite a lot is general awareness. We are demonstrating InsightAppSec to developers in engineering meetups. I explain what it can help with; what it can do, and what it cannot do.” The response from developers has been very positive. In fact, several teams have asked to embed InsightAppSec in their project.
InsightAppSec also provides Uzakov and his team with a more efficient way to do penetration testing, saving time and money. "One of our approaches to AppSec is to invest in areas that pay a high return on investment. By simulating an attack on our applications with InsightAppSec we are able to identify vulnerabilities before a penetration test. This allows us to reduce the scope of the penetration test by remediating issues before and having more focus."