About Mercari
Mercari is an ecommerce and financial services company based in Tokyo, Japan that operates several businesses including C2C/B2C marketplaces and a payment service.
About the Author
I am currently the manager of the Platform Security team and the AI Security team at Mercari, where I oversee AI and Platform related security posture of the group. My primary responsibilities are setting security strategy and executing on that strategy in the domains of cloud, supply chain, and AI security.
The Challenge
Hardening the software supply chain has long been a priority for Mercari’s Security Engineering team. As part of that effort, we implemented tools such as SAST, DAST and SCA, Container Image Scanning, Container Image Signing, and self-hosted runners using Actions Runner Controller. With the increased attention on supply chain compromises over the last few years, our next priority turned to further hardening the network access in the build environment itself.
We evaluated building a solution for Actions network filtering in-house based on open source Kubernetes components such as Cilium, including building some PoCs. However, it seemed clear that building our own solution would be a significant undertaking with a very long lead-time, as we would need to build our necessary feature set in addition to coordinating a complicated rollout with product teams.
Why StepSecurity
We found Harden Runner while researching the feasibility of implementing network egress controls inhouse and it seemed very promising, so we decided to test out the paid product as well.
StepSecurity’s unique feature set and rapid delivery of new capabilities were important parts of our decision to go forward with the product. Additionally, StepSecurity’s original research and first detection of industry-wide supply chain attacks gave us a lot of confidence in their position as a market leader in this space.
A critical consideration for us when deciding to go forward with StepSecurity was making sure that we could effectively roll it out to our large number of repositories. The combination of the Terraform provider and the repo/org level policy attachments meant that we could configure policies as code in a single location controlled by the security team while still allowing engineers to make self-service changes to network allowlists.
Results and Impact
StepSecurity has been deployed across 100% of our workflows, all without requiring any changes to individual workflow files. This was a key factor in achieving minimal impact on developers.
For application developers, the introduction of StepSecurity has had minimal impact, and in fact most have had no reason to concern themselves with the new system despite their workflows now being protected. Because StepSecurity was deployed at the organization and repository level through the Terraform provider and policy attachments, without modifying any workflow files, developers did not need to make any changes to their existing CI/CD configurations. We developed a simple Slack automation for notifying developers of any events detected by Harden Runner, which is an important part of our rollout strategy as we increase the coverage of our network block policies, however the number of alerts has been minimal. By using the Terraform provider, we’ve been able to create a self-service workflow for developers to make changes to their repo’s policies in a way that is familiar to them.
For the Platform Security team, we have been able to replace several internally developed tools and scripts with StepSecurity features, particularly around governance. This has enabled us to focus more of our attention on other areas that are more unique to our enterprise.
Supply Chain Confidence
Supply chain security has long been a priority for Mercari’s Security Engineering Team, and we already had high confidence in the security of our system, but StepSecurity was able to provide us with some additional unique capabilities for monitoring, isolation and governance that we found would be difficult to replicate in house. In combination with our existing controls, our confidence in our supply chain has never been higher.
“StepSecurity’s cutting-edge security features are a core part of Mercari’s supply chain security strategy. Adding these isolation, monitoring and governance capabilities to our platform has enabled Mercari’s Security Engineering team to spend more time focusing on the areas that are truly unique to our enterprise.”
— Allan Wirth, Manager of Platform and AI Security, Mercari
