Furniture retailer Dunelm has improved its security, and the performance of its e-commerce operations, by “shifting left” and moving more of its processes to the network edge.
Speaking at Infosecurity Europe 2023, Dunelm’s DevSecOps principal engineer, Jan Claeyssens explained how a move to infrastructure as code(IaC), updated web application firewalls (WAFs) and a programmable content delivery network (CDN) allows the retailer to push out as many as 250 updates to its e-commerce platform each month.
This move has been supported by a new approach to security, with a larger cybersecurity team, a move to DevSecOps and ensuring that security experts are on hand to help developers pre-empt any issues before they release updates.
“Before, we had two guys stuffed away in a closet. We have now gone from two guys doing security to 10. Five are in the DevSecOps team who liaise closely with developers,” he said. “We are testing the web application firewall, sitting in front of developers. So they know what to expect when they are developing new features for the platform.”
This approach allows for faster and smoother releases, allowing Dunelm to meet demand for online sales. During the pandemic, the company was able to maintain 70–80% of sales purely through its website, largely due to a headless and serverless platform it moved to in 2019.
Read more about DevSecOps: Cloud Complexity Means Bugs Are Missed in Testing
Supporting this traffic means a new approach to cybersecurity. The business now takes security far more seriously, Claeyssens admitted. “It is clearly a priority; no company can afford for security not to be a priority.”
According to Claeyssens, moving closer to the developers has helped.
“We have about 250 releases a month for our e-commerce platform so we are ensuring that everything works as it should. Because we can provide that, security does become a bit of an enabler.”
The team’s approach is to “serve the customer where they live,” Claeyssens added. “That is what we are trying to do internally. Developers should not have to go out of their way to find security.”
Instead, the security teams use the same communications channels as developers and make it as easy as possible to raise tickets. This approach extends to working with Fastly, Dunelm’s CDN and WAF vendor.
“Our focus is on enabling that shift-left, DevOps-driven early detection of security threats,” agreed Sean Leach, VP for technology at Fastly. “We also secure the environment at run time. Sometimes you do miss things in configuration, and the last place to protect [the application] is at run time. So we sit on top of that and look for badness.”
In the future, Dunelm might use honeypots in its API gateways to detect hostile security scans, a technique that is made possible by the programmable nature of its edge infrastructure.
Editorial image credit: Craig Russell / Shutterstock.com