Case study: OVO
State of Open: The UK in 2022
Phase One “The Open Source Journey”
Simon Goldsmith, Director of Information Security
Synopsis
OVO, the UK’s third-largest independent energy retailer, developed and Open Sourced Domain Protect, a security tool aiming to detect subdomain takeover vulnerabilities. Launched in 2009, OVO is committed to sustainability, pledging to be net-zero carbon business by 2030. With a hybrid cloud environment and a private bug bounty program, OVO employs serverless functions to proactively identify security issues, particularly subdomain takeovers. The tool, supporting AWS, Cloudflare, and recently extended to Google Cloud Platform, is managed as an Open Source project on OVO’s repository. OVO emphasises community contributions, skill development, and the reputational benefits of participating in Open Source.
5.4 Case Study – OVO
Simon Goldsmith Director of Information Security, OVO
Launched in 2009 in Bristol, OVO is the third largest independent UK energy retailer with over 4.5 million retail customers. The company has spent the last decade investing in the market leading technology, customer service operations and digital products to help members cut their carbon emissions. OVO is on a mission through its sustainability strategy Plan Zero to tackle the most important issue of our time; the climate crisis, by bringing our customers with us on the journey towards zero carbon living. OVO has committed to being a net zero carbon business and achieve bold science-based carbon reduction targets by 2030, while helping
members reduce their household emissions at the same time. The OVO information security team actively consumes, contributes and distributes Open Source Software. They recently open sourced a security tool to prevent subdomain takeovers, named Domain Protect.
Securing the landscape with Domain Protect
OVO has a hybrid cloud environment, with multiple autonomous development teams each managing their own cloud accounts, leading to occasional disparate systems and missed vulnerabilities. OVO began its own private bug bounty program, rewarding researchers who found various security issues, over half of which were subdomain takeovers.
To get ahead of the researchers and find vulnerabilities themselves, OVO chose to develop Domain Protect using serverless functions in the cloud to detect subdomain takeover vulnerabilities and alert security and engineering teams to them. There are many different types of subdomain takeover, such as removing a cloud resource, and forgetting to delete the corresponding DNS records and as Simon explains, all of them can be damaging to an organisation and its customers. Domain Protect “solves a specific problem that quite a few security teams and organisations face in the digital world.”
Domain Protect supports Amazon Web Services (AWS) and Cloudflare. OVO recently extended the application to cover Google Cloud Platform (GCP). Typically Domain Protect is installed to a security audit account within an AWS Organisation. A number of Lambda functions are installed, each running at regular intervals triggered by a CloudWatch scheduled event. The Lambda functions look for different types of domain takeover vulnerabilities, and then write their findings to a Simple Notification Service topic. Another Lambda function is triggered by new events arising on the SNS topic and sends an alert to Slack. Optionally, we introduced automated ‘friendly’ takeover within the security account and an administrator can then resolve the problem later.
An Open Source Software journey
The journey started over a year ago as an internal Open Source (inner source) project creating the tool. Today it is shared for third party use on OVO’s Open Source repository. Simon believes it’s “a genuinely useful tool that would benefit security teams globally.” The security team manages its maintenance and contributions, and through public events and opportunities, hopes to raise awareness and distribute it further.
There are several advantages of an Open Source Software build for OVO. In particular, the rich community of contributors, “the more people we can get contributing to it, the richer that tool and that problem solving space becomes. The more inputs from the community, the more useful it becomes both to us and to everybody else.” This is not only from a quality perspective but also a skills perspective. Simon believes that it isn’t just about developing the team’s skillset but developing the skills of others and developing the defensive security capabilities of a broader community and society.
There are also valuable reputational benefits gained by contributing to Open Source Software. Simon emphasises this intangible benefit as critical in positioning OVO as a leader in technology and increasing its attractiveness to the UK’s skilled workforce. Not just consuming but contributing to Open Source Software is an easily verified way to demonstrate that they are at the forefront of innovation, highlights their commitment to the cybersecurity profession and displays their technical competence.
Shaping the relationship between security and Open Source Software
Simon sees a link between Open Source Software and the broader energy sector. In particular OVO’S commitment to sustainability and digitisation, saying “Sustainable and secure energy is reliant on technology – there’s obviously financial concerns and geopolitics to consider – but there is a key role that technology plays in shifting people to zero carbon energy, including digitisation of our platforms, making the whole data and technology landscape a lot more cost effective, and a lot easier to access.”
Security is linked closely to the software development lifecycle. OVO believes in establishing a level of trust and verification of repositories when consuming code via them. A large organisation, such as OVO needs to prepare for and handle supply chain security.
They recognise that, “attackers are using the supply chain, including Open Source Software as a means to execute their attacks.” He views “ The solution is to include security in engineering development and operations cycles. There can be a tendency to think that security is only a compliance, or a governance activity, when actually, it really should be part of the systems engineering, lifecycle and the quality of a product.”
Conclusion
Across OVO, they have extended the functionality of Domain Protect to DNS records held in Google Cloud Platform (GCP). And as they become aware of new types of subdomain takeover which may be present across OVO teams, and are feasible to detect, they’ll add further misconfiguration checks as well. Simon believes that in the future, OVO will increasingly include malicious use cases in their engineering designs and inject those into their overall thinking but he understands that it’s tricky and hopes Open Source Software will be part of the solution, as he says, “It feels like the security community is developing a maturity around how we get the benefits of Open Source and minimise the risks of it. There’s been a noticeable acceleration this year.”