How Shopify Avoided a Data Breach, Thanks to a Bug Bounty

[InfoSec News <alerts () infosecnews org>]

http://www.eweek.com/security/how-shopify-avoided-a-data-breach-thanks-to-a-bug-bounty

By Sean Michael Kerner
eWEEK.com
December 17, 2018

Breaches occur on an-all-too-frequent basis, but what is often never 
reported are the breaches that don't happen, thanks to organizations 
taking rapid, proactive measures. One such incident was outlined by 
Shopify at KubeCon + CloudNativeCon NA 2018 last week.

Thanks to a bug bounty program and the support of its vendor partner 
Google, Shopify was able to avoid a potentially disastrous flaw that could 
have enabled an attacker to take over Shopify's Kubernetes cluster. 
Shopify provides an e-commerce platform that allows vendors to sell goods 
and services. The platform is hosted on the Google Kubernetes Engine 
(GKE), which provides a hosted version of the open-source Kubernetes 
container orchestration platform.

"If you're not familiar with Shopify, we've got about 600,000 businesses, 
so there's a good chance that you've purchased something from us without 
even realizing it," Shane Lawrence, security infrastructure engineer at 
Shopify, said. "We processed about $26 billion last year, and during peak 
hours we get approximately 80,000 requests per second."

Shopify runs entirely on GKE, said Lawrence; the reason his company chose 
Kubernetes is to be able to rapidly respond to scaling demands like the 
recent Black Friday and Cyber Monday shopping events.

[...]



--
Subscribe to InfoSec News
https://www.infosecnews.org/subscribe-to-infosec-news/
https://twitter.com/infosecnews_