How to build a security-first culture: lessons from CRED


There are two types of companies: one where security is seen as an after-thought and the other where security is of the utmost importance. 

What about the in-betweeners, you ask? 

At CRED, we genuinely believe that there are no in-betweeners to the above rule. And that’s probably why we belong to the latter camp. This is especially true since ours is an enterprise where we have to work with a ton of customer and business-centric sensitive data, making it imperative to keep security and data privacy on priority. 

While it’s good to have ambition, by itself, it doesn’t take anyone anywhere without goals, which is why we set up a structured plan to make our infrastructure and applications more secure.

We have a very fast-growing culture at CRED, where we not only want to ship releases and features faster but do so while ensuring the product we ship is meeting our security standards. To do this seamlessly within our unique environment, we had to make sure we cultivate an Information Security-first thinking specific to CRED.

And like all self-sustaining things, this couldn’t be enforced. It had to be encouraged.

Security shouldn’t be enforced, it should be encouraged!

In order to facilitate this, Security Awareness Sessions and Training must be a part of the onboarding process and also conducting regular CTF challenges help people understand basic security loopholes. This could be a great way to educate employees and to keep the company’s IT security policy fresh in their minds. It also helps them understand the risks and threats in the ever-evolving cyber world. Also, it is important to keep people up to date with the security world, curating timely updates about the world of security can help embed a security culture and outlook within the organization.

Similarly, regular security awareness updates help increase people’s awareness about the appropriate security practices against phishing, cyber frauds, password and 2FA implementation, and various more. 

We realize it’s easy to lose interest in the technicalities, so to keep it interesting, infographics and stories can be included to build up curiosity. After all, we do know a thing or two about holding attention. The most important in all of them is regularity – One-off security and awareness exercises do not guarantee your security.

 Security is not a blocker but it is a facilitator!

There are two ways to ensure we are keeping the security best practices: one would be to keep updating and following what’s considered the latest best practice, and the next, is to pioneer the best practices of the future on our own. To make this happen, we have started developing in-house tools that eliminate risks posed by online services. As an example, sharing code using Pastebin might expose it to the public. People may fall into the trap of using phishing domains and submit their JSONs for beautification and validation, which may contain sensitive keys, tokens, or information.

Educating our employees about the risks and dangers that online tools/services pose only creates awareness. However, unless people are provided alternatives to online tools/services, we couldn’t build this security-first thinking into the collective conscience. In keeping with this thought, the Security Engineering Team at CRED has built in-house alternatives to online tools and services. Some examples include In-house Credentials and Code sharing Pastebin, JSON validator (Deployed in our own server), Credit Card Validator & so on.

One simple rule: make it easy.

Like the organization has HR policies and documents in one place over a shared drive for easy accessibility, similarly, for all the security tooling and information, we have developed inhouse Security Dashboard: a one-stop for everything security, making it more approachable. Easy accessibility promotes easy facilitation.

Security: a shared responsibility 

Plugging the cybersecurity skills gap with security automation, specifically SOAR — security orchestration, automation, and response — offers aid to ease the burden on security professionals. It is also a fact that a single team cannot manage security: sure, they can hook up various tooling, process, and best practices to create a managed secured platform, but in the end, security is everyone’s responsibility. 

Werner Vogels at re:Invent

To embed this philosophy into our culture, we have set and forth the best security practices for our developers to follow. We have also started training our QA team for basic security practices and have incorporated a security checklist in their workflow. We deeply value their role in our organization; QAs are the first group to do a complete sanity testing on releases giving them a major context on all our features before we take it live. As far as CRED is concerned, the QA team is now an extension of the security team. And we couldn’t be prouder of this fact that our QA team is not simply QAs for us but they have turned out to be a QASec team!

The road ahead

Building a culture is not a one-time investment, and we realise that.  These are just the first and foremost steps that we have taken to create a secure ecosystem that will facilitate building applications and infrastructure security pipelines. As we scale and bring in new team members and technologies into the system, we will have to strengthen our practices to ensure they hold up to the demands. Since security is a continuous process, we continue working towards strengthening the security of our infrastructure and apps through tools and processes. In the following weeks, we intend to capture our internal processes in more depth. Give us a follow to get to know more about them.

about CRED

CRED is a members-only platform that rewards the creditworthy individuals of India with exclusive experiences, rewards and upgrades.