Surface Security

Andrei Gaftoniuc - Development Security Engineer @ Betfair Development Romania

Teofil Cojocariu - Application Security Engineering Lead @ Betfair Development Romania

Live from Europa room

10th November, 13:30-14:00

Our external attack surface is constantly growing, which gives external attackers the opportunity to continuously search for new attack vectors. In order to successfully respond to Security incidents we needed a centralized platform which aggregates all the data about our premises in a single place.

Surface Security (Security Intelligence Automation Platform) is an internally built tool which assists our internal Security teams to gain a holistic view about our externally exposed assets. More than that, it facilitates faster incident response based on the information correlated by it.

Surface started as a small project in which we tried to close the gaps identified in our security controls. The platform's core is built in Django which is a Python-based open-source framework which has a fast learning curve. Besides Django, we're using technologies like Ansible (automation), Dkron (fault-tolerant jobs), Elasticsearch (Security metrics storage) and Grafana (reporting).

During the whole period it gained a lot of traction in our company determining people to contribute to its success by implementing and suggesting new features.

We're currently utilizing it for reporting the Security gaps to other areas of key business areas and for Security controls like: monitoring our externally exposed assets, vulnerability management, security incidents, bug bounty reports and penetration testing.

Andrei Gaftoniuc

Betfair Development Romania

Somewhere between a builder and a breaker.

No application, operating system, platform is safe from exploitation by bad actors. That's why I took the chance and started building a safer experience for end users by reporting a extensive variety of Security vulnerabilities to companies like PayPal, Yahoo, Bolt (Taxify), Google and Valve.

Teofil Cojocariu

Betfair Development Romania

I'm focused on Application Security Engineering & Penetration Testing combined with CAMS mindset (Culture, Automation, Measurement, Sharing - DevSecOps) and I reported security bugs to Google, Facebook, Uber, Bitdefender, ING Bank, Yahoo or other companies.

One of the most interesting thing is that I built a platform "Surface - Security Intelligence Automation Platform" which is being used by more than 600 people in Paddy Power Betfair and I was the Security SME for a Private Cloud based on OpenStack with environments as code.