Gojek: how cybersecurity promotes trust in the super app

Gojek: how cybersecurity promotes trust in the super app

“It's refreshing to work for a company that has such a positive impact on so many lives across the APAC region and across the world,” says George Do, Chief Information Security Officer at Gojek, a company he joined in September 2019. Gojek provides a technology platform offering a variety of services from ride-hailing to food delivery, an approach that affords the moniker of a “super app”. “My charter is to ensure the security of the company and all of our products, services, platforms, as well as all of the systems for our users,” says Do. “I would describe the role as driving the mission of the company to help improve millions of lives by reducing its daily frictions. This opportunity to make a positive social impact was such an important factor for me to make the decision to join Gojek.”

Do credits his career in cybersecurity to an early inciting incident. “I was lucky enough to be selected as an intern at NASA, which really launched my career. I wasn't into security before then, but I was bitten by the security bug once I started the internship.” From there, Do says he was “fortunate to have faced security challenges from both within and outside the walls of organisations, having been part of internal security teams as well as serving as a consultant and as a security architect. That helped me a great deal in learning how to balance and bridge the gap between security and the business.”

Cybersecurity at a digital-native company like Gojek offers its own challenges, but also plenty of opportunities. “Gojek made it into the ground floor of the digital transformation,” says Do. “Where we're at today is where a lot of companies around the world are trying to get to. Executing a security strategy for such a cutting edge platform is a very exciting endeavour.” The depth and breadth of services a super app like Gojek offers requires a specific approach. “One of the key areas of focus that we target as a super app is DevSecOps,” says Do. “That’s development, security, and operations, all in one within continuous integration and continuous delivery (CI/CD) environments. We really work hard to bake security into our engineering processes. Because our application is the main interface for our consumers, driver partners, and merchants, we take application security very seriously, so we employ both static and dynamic security tools.”

As Do emphasises, it is the maturity of Gojek’s cloud capabilities that offers the company enormous benefits. “Gojek was born in the cloud, meaning that much of what we do pivots around that,” Do explains. “While the security concepts remain the same, a lot of the tools and processes are different when compared to traditional organisations that have a large part of their infrastructure still on premise. While traditional companies typically straddle on premise infrastructure applications and a hybrid cloud model, we focus more on the cloud model.” While the security workloads might be similar to a traditional company, Gojek approaches them in a different manner. “A good example is encryption and logging, something that's pretty fundamental within the security space. To try to do those things in a traditional environment is quite complex, especially for globally distributed technology stacks. When we do that in the cloud, a lot of times it's really a checkbox or a configuration change to get things moving along faster and more efficiently.”

The goal of these technologies is to earn the trust of users. “As a super app, we provide or offer a variety of services to our consumers, partners and merchants,” Do says. “ Our number one security priority comes down to consumer trust. We strive to provide this trust by employing a very robust security program that ensures security on both our products, services, on our platform, as well as the applications that our internal users rely on every day.” That security priority must be balanced with speed of access, something for which identity and access management is crucial. “We want to enable our developers and our engineers to move as fast as possible, but in order for them to do that securely, their identity and how they go about accessing systems to do their work is paramount. So we employ, and have a robust roadmap to implement, a very strong identity and access management program here at Gojek, including multi factor authentication.”

Do identifies a number of strategies that he has developed over his career to stay on top of security in a fast-moving organisation. “Number one, leverage the cloud native tools that are available to you,” says Do. “Don't try to boil the ocean and create your own tools because some of those will already be at your fingertips. The second thing is finding a good balance between what we build internally, in-house or open-source, versus what we buy commercially. It’s important to pragmatically select a build versus buy option based on the security use case and return on investment. Thirdly, in the course of developing applications and releases, there will be vulnerabilities that may be inside the code. We have to be very rigorous around the employment of a continuous vulnerability management program so that the vulnerabilities are detected in real time and remediated as soon as possible thereafter.”

Supplementing these preventative methods are reactive measures such as a bug bounty program. “For all of the work that we do from a prevention perspective, we also need a strong and robust incident response capability. That means building out a team and process, a capability by which, if an incident does hit, we’re in a state where we're able to respond in an effective and meaningful way.”

Gojek’s security ecosystem is also reliant on the support of partners such as Horangi. “Horangi is one of many security firms that we use to augment our security program,” says Do. “With Horangi, we collaborate on areas like penetration testing and improving the maturity of our security incident response capabilities. We also receive support from them with response playbooks and  executing war game exercises.” When selecting partners and vendors, Do believes in security platforms as opposed to point solutions. “For me, unless it's truly a critical area of need, I really steer towards a security platform versus spot solution because it reduces the number of technologies that my team has to manage.”

As for the future, Do has a clear path in mind for cybersecurity at Gojek. “First and foremost is winning consumer trust. Slowly but surely, we also need to bake security into the culture. With any organisation, security and the culture really is a critical factor. As we grow and expand, doing that will pay huge dividends for us as we scale and expand into new markets and with new product sets.” As for the broader industry, Do emphasises that there is strength in numbers. “The threat landscape is constantly evolving. As CISOs, we have to evolve with it. The bad guys only have to get it right once. We have to get it right every time. Really, the game is stacked. Phishing, credential theft, nation-state sponsored hacking, these are just some of the threats we face. Security is an exciting field and I would encourage young people to look at cybersecurity as a career. The more security practitioners we have, the better the industry overall.”

George Do