Vinted's stylish security: Navigating fashion-tech fusion
Turning to open source to address containers and microservices
Second-hand marketplace Vinted brings together the fast-paced realms of fashion and technology.
The company, based in Lithuania, has made a name for itself as a place where people can clear their old wardrobe and pick up low-cost bargains - with buyer protection as standard.
But protection can't be limited to users. In its drive for more efficient operations, Vinted found itself facing a security challenge.
"As containerisation technology evolved, we started introducing more applications alongside our existing modular monolith and using more containerised microservices," says security engineering manager Aurimas Rudinskis.
Using containers and microservices meant Vinted could pivot to face new opportunities quickly, and improved resilience; but it wasn't a silver bullet. Containers brought their own challenges.
"How do we detect vulnerabilities in containerised environments, when they can exist for very short periods and then be turned off again?" asks Aurimas. "How do we ensure the security of containers at runtime, so that we know each one is secure while it is operating? Lastly, how do we detect and prevent suspicious activities or service abuse within these environments?"
There was "very little" in terms of existing commercial solutions to solve these problems, so the team turned to the open source community.
Security without the cost
Open source software features source code that anyone can inspect, modify and enhance. The community is passionate and collaborative, often building solutions together in an iterative fashion.
The tool Vinted chose, Falco, uses rules enhanced with container and Kubernetes metadata to provide real-time alerts. Its rules-based, open source nature was a key criterion in the choice.
"The other Kubernetes or containerisation security solutions in the market did not suit our needs, as they either required tight integration with developers or had a very high price tag attached. With Falco, we could achieve our goals and deliver the degree of security that we needed, but without the huge outlay."
As an open source project, Vinted's team can contribute to Falco themselves, plus "it integrates with the whole landscape of products that we're using," says SRE Edgaras Apšega.
"It is part of that rapidly developing cloud-native security approach, so it fits extremely well with our overall plans."
Start at the sandbox
After choosing a tool, you need to implement it, and luckily Edgaras already knew the solution. That made it "easy to find common ground and start working on architecture design and deployment," says Aurimas.
While Edgaras "did the heavy lifting" with design and implementation, the two worked together on deploying Falco to a sandbox to catch any potential issues and adapt it to the Vinted environment. After that, it was time to roll it out to production clusters.
False positives are the bane of every security professional, so integrating Falco events into the SIEM process was important to Aurimas. Although the team is still fine-tuning the tool, "Falco only notifies security analysts if a Falco rule with Critical or Warning priority would be triggered.
"This reduces the number of incidents that we have to investigate and ensures that we are looking into issues that are serious risks, so we can shut them down faster."
Although Vinted brought Falco in to bolster container security and stability, it is also using containers in the implementation.
"When those rules [we have written] are changed, our CI system kicks in, builds rules into an Open Container Initiative (OCI) container and pushes that new container to our OCI registry," says Edgaras. "We then have Falco containers set up that are always watching the registry for changes or new images, and they just simply pull the newest rules and apply them where they are needed.
Operating this way, duties for SREs and security engineers remain clearly separate. The former are responsible for the whole pipeline and Falco runtime, while the latter only have to maintain their own written rules.
Response to the deployment has been "extremely positive," especially from the company's engineers. Aurimas says, "They saw how much potential risk existed, and they wanted to support putting proactive protection in place."
But as any security team will tell you, the work never ends. Aurimas' team has started looking into solutions to secure cloud tenants, with a focus on multi-cloud support.
"At Vinted, we use a bit of every major cloud service provider and due to this, the solution we are looking for needs to support all of them. The cloud environments are very dynamic, and we would like to implement a solution capable of detecting and (preferably) preventing misconfigurations and suspicious activities in real time."