Siavash Ghorbani is the CTO and co-founder of Tictail, the marketplace home to emerging designers in fashion and home decor from over 140 countries around the world. Tictail is one of Detectify’s oldest customers, and they have been using our tool continuously to test their production environment for security issues.
How has your view on security changed over time?
I became interested in programming when I was 11 years old. As a child, I saw IT security as something fun – I remember that we installed Trojans on each other’s computers to push out the CD drive trays as a practical joke.
My interest in IT security grew when I started working at Blocket. They took IT security very seriously and I’m very lucky to have gone through Blocket’s IT security training as I learned a lot during that time.
How did you think about IT security when you started Tictail?
IT security was central from the beginning, that was the legacy I brought with me from Blocket. For some people that joined Tictail later, the routines we had set up felt difficult and time-consuming, for example, why should we have 2FA on everything? For us, the most important thing is to be good at explaining how and why we do things, and, above all, make it easy to do the right thing. When IT security becomes an obstacle and people feel like it gets in the the way, they will choose an easier path sooner or later. We must work hard to explain security, and find the right tools to work with.
You have been using Detectify for several years. What do you think about the development of the tool?
We were early customers, we signed up 2014 if I’m not mistaken. We have followed the development, and have really incorporated Detectify into our workflow now. You have really ramped up how in-depth the scans are, which means you find issues that we would not find otherwise. We have a policy that says we must fix high severity issues directly, and to a greater extent also prioritize the medium severity issues you find.
How do you use Detectify?
We use Detectify continuously on our production system. We are not worried that a crawl will affect our live activity. On the contrary, the reason we run Detectify towards production is that there are conditions which are unique to the production environment that not even a perfect staging environment can recreate. We want to be the first to find security errors in our production environment and Detectify is a great tool for that.
What do you appreciate about Detectify?
You have been incredibly responsive to our feedback. Sometimes we discover false positives and when we’ve contacted you, someone has always responded promptly, and fixed the issue for us. A huge part of Detectify’s value is about helping us remove noise. What we need is a tool that says “in this large number of terabytes of logs, it’s this line you should look at.” That’s how you find security holes.
How do you work with security, apart from using Detectify?
We do code reviews and review each other’s code. According to our guidelines, you should try to hack your own code until you succeed, the same goes for the reviewer. However, it is impossible to cover all the parameters of security. That is why it’s nice to have a tool that automates security testing and identifies security holes.