Dohop is a travel technology company. On their B2C side, they provide a flight comparison website that helps you find and compare flights. On the B2B side, they create and operate connection platforms for airlines and Interline 2.0 connections where the customer can book two or more segments in a single checkout along with a protected connection.They currently have a team of 45 people, of which about 30 are part of the software development team. Their headquarters are in Reykjavik, Iceland, but a handful of their employees work remotely from other corners of the world.
At the beginning of 2019, they embarked on their own search for a security training solution to educate their technical team in secure coding practices as well as the entire team on security awareness primarily for PCI DSS compliance purposes. They chose to implement the Adversary security training platform to train their developers and included our add-on for security awareness training for everyone.
We were lucky enough to get to chat with the team leading this initiative, Einar Helgason, Axel Máni Gislason, Kjartan Traustason, and Pétur Kristinn Guðmarsson. This is what they had to say.
Earlier this year Dohop set out to become PCI DSS compliant, which is the standard for global payment account data security. If an organization stores or transmits credit card data, they are required to become compliant. One of the requirements to become PCI compliant is to train your development teams in secure coding techniques including how to avoid common software vulnerabilities.
Because much of their staff work remotely, they told us it didn’t make sense for them to do a traditional security training lecture. In order to do that, they would have to fly all of their remote employees to their headquarters and ensure everyone could participate. If someone were to be sick that day, then they would not be able to prove to the auditors that everyone completed the training.
Pétur Kristinn Guðmarsson, COO, added that traditional training would simply tick the box that they fulfilled the security training requirement, but they weren’t very optimistic that the employees would actually learn much from a lecture or seminar. With Adversary, each and every person could choose when they did the training and do it at their own pace as long as they finished it by a certain date.
“Adversary was the perfect solution. It is online, can easily track the progress of each person, and we didn’t need to get the remote employees to Iceland for the training.” -Einar Helgason, Software Engineer
Although their primary reason for implementing secure coding training within Dohop was to become PCI compliant, they experienced other positive effects that made the whole initiative even more worth it.
One of these is that they are confident that their development teams are now much more aware of software vulnerabilities and more likely to be able to avoid them from occurring. Of course they’re humans, so nothing is 100%, but they are confident that their staff are better educated in security than before.
“Some of our employees weren’t even aware certain vulnerabilities existed, so just the awareness alone is an improvement.” - Einar Helgason, Software Engineer
They also shared with us that some of their developers had not completed a security course in University. For those that did, some of them said that their course was rather boring and they didn’t learn how software vulnerabilities worked or how to avoid them, simply that they exist. They told us that most of their developers liked how pragmatic the Adversary training platform is and especially liked that it’s on an actual server and not a simulation, which makes it truly hands-on. They also liked that they could complete the training exercises at their own pace and when they had the time.
In addition to them being more confident in the security knowledge of their development team as well as the awareness of the entire staff, the supervisors especially liked that they could get a simple overview of who had finished the training and see if someone was stuck. This allowed them to send a friendly nudge to those who had not yet finished the training campaign and offer assistance to those that might need some help with a particular exercise.
This made it easy for them to ensure that everyone finished the necessary training with relative ease.
Above all, the team at Dohop is happy that Adversary enabled them to fulfill the security training requirement of the PCI DSS compliance, but they also emphasized that there has been a shift in the mindset around security within the organization and say that it’s always a good thing to be reminded of security.
“We started our security training initiative with Adversary to gain PCI compliance, which we did successfully, but since then we also think more about how we approach security on an everyday basis.” - Pétur Kristinn Guðmarsson, COO Dohop.