We recently sat down with ZOE’s VP of Engineering, Julien Lavigne du Cadet, to discuss the tremendous overnight success of ZOE’s COVID-19 symptom app and how his team established protection for their 4M+ users in a short timeframe.
ZOE is a fast-growing health science application that uses in-depth research and AI to provide a comprehensive scientific analysis of a user’s metabolism, gut, and overall health. When the global COVID-19 pandemic hit in March 2020, the ZOE team saw an opportunity to use their technology to better understand COVID-19 symptoms and risk factors for their users.
Within 36 hours of launching their new app, ZOE had 1M+ new active users across the UK, US, and Sweden. Their overnight growth made ZOE the largest COVID-19 symptom study in the world. As a result, ZOE was suddenly collecting and storing millions of patients’ PII data while rapidly deploying new application features with little protection. Security was obviously a key concern for Julien and his team and they needed an application security solution ASAP that could scale with their company’s rapid growth. “We had to build the app as quickly as possible and we took a lot of shortcuts but the one shortcut we didn’t take was security” stated Julien.
ZOE needed a safe way to provide access to third-party researchers (like academic institutions) while maintaining and protecting their user data. They immediately began assessing solutions to monitor and block malicious actors and data breaches.
In our webinar, “How ZOE protects the world’s largest COVID-19 symptom study”, Julien explained ZOE’s decision to use both Cloudflare’s Web Application Firewall (WAF) and Sqreen’s Application Security Management Platform to protect their applications and customer data. Here are the top three reasons why his team chose Sqreen + WAF:
1. Ensure multiple layers of application security to deliver defense-in-depth
A WAF sits at a single layer (the network layer) and protects against specific traffic requests using signatures and patterns. For example, with a WAF, the ZOE team could block requests from certain countries where the application is not available. Their WAF, however, didn’t give ZOE a lot of insight into what was happening inside of their application.
“The goal with the WAF was to protect ourselves against Distributed Denial-of-Service (DDoS) attacks. We weren’t confident that we could configure our WAF to catch all the things we really cared about” said Julien. “We used our WAF mostly as network-layer protection [outside of the application] and used Sqreen for additional layers of protection and visibility [inside of the application].”
With Sqreen, Julien and his team gained a deeper layer of protection against malicious activity at the application layer. Sqreen leverages the full context of your application using in-app microagents to monitor and protect against critical attacks and threats. Sqreen’s in-app agents allow for more precise protection and deeper visibility into the state of ZOE’s app security, including insights into stack traces, executable commands, authentication layer data, and much more.
2. Deeper visibility into user login attempts, ATO, and brute force attacks
With their sudden increase in users, the ZOE team realized early on that many new users were logging in multiple times a day with dozens of failed login attempts. WAF signatures and patterns would recognize these attempts as malicious activity and send false positive alerts to their already very busy team.
“You need to prepare for security, it’s not something where you can just be reactive, and as a small team you don’t want a lot of false positives that constantly need our attention. Sqreen helps us differentiate between legitimate traffic and real malicious activity,” said Julien.
With Sqreen, Julien’s team gets deeper visibility into exactly which accounts and IP addresses are triggering their alerts so they can determine very quickly whether an account takeover alert is real or false.
“The perfect example is everything related to Account Takeover (ATO) and brute force logins: with our WAF I can set up rate limiting to make sure that doesn’t happen; however, if I change the URL of my endpoint, our WAF would not know anything, while the rule would still be there, it would catch nothing. Sqreen is much more integrated into my app and would catch this change. This level of protection is not available at the network layer.” Julien mentioned in our discussion.
In addition to deeper visibility, Sqreen only alerts ZOE when a real critical attack is happening inside the application. Sqreen also seamlessly integrates into their existing workflows through a direct Slack integration so their security team can quickly respond to critical problems and better prioritize their efforts.
“It’s super useful to understand which accounts are targets versus background noise of users that have forgotten their passwords.”
3. Security confidence
Lastly, using Sqreen alongside a WAF meant peace of mind for Julien and his team as they continue to see tremendous success and growth. Julien installed Sqreen in just a few minutes and was immediately protected against OWASP Top 10 vulnerabilities with Sqreen’s out-of-the-box In-App WAF, RASP, and ATO protections. Unlike traditional WAFs, Sqreen’s microagents automatically detect any type of architecture so there is no ongoing tuning or maintenance required for his engineering team as they continue to deploy new products.
“I think at our level as a small fast-growing team we weren’t extremely confident that we could configure the WAF to catch the things we really cared about and spend a lot of time and resources to get it right and monitor it.” said Julien.
Early on in the lifecycle of the app development, Julien wasn’t confident that their WAF would catch all of their critical problems. They hired penetration testers and were reassured when Sqreen detected and blocked the attacks that the pentesters performed.
For Julien and the ZOE team, their WAF provided them with network layer protection at the perimeter of their application, and Sqreen gave them deeper protection at multiple levels of their application. Sqreen + a WAF gave the ZOE team confidence in their overall application security posture and allowed Julien and his team to focus on what matters most – shipping safe and reliable applications for their users.
“For us, it was really the deeper layer of security that gave us confidence. Even though we think the code we’re writing is secure, if we miss something we know there is this additional layer that will help us mitigate risk”
To hear more best practices from ZOE’s tremendous success, including what Julien would do differently knowing what he knows now, watch the full webinar here.