Spotnana revolutionizes how people gather in person with technology for cost-effective, personalized global travel. The company is modernizing the travel industry’s infrastructure to bring freedom, simplicity and trust to travelers everywhere. Spotnana has developed a new generation of cloud-based travel technology that puts the needs of travelers first. Its travel-as-a-service platform gives corporations, agencies, suppliers, and technology providers the power to deliver unparalleled travel experiences that bring people together all over the world.
Spotnana accelerates innovation throughout the travel industry by enabling everyone to benefit from the power of cloud computing, microservices, an open platform, and open APIs. The talented, growing team of more than 200 employees works diligently to creatively and securely tackle the difficult technology problems in the travel industry to power better experiences for travelers globally.
Spotnana’s popularity has skyrocketed since its launch just a few short years ago, and as the company has scaled to meet demand, security has grown as a priority.
Spotnana is revolutionizing the travel industry by leveraging open cloud and API-first computing technology. The company delivers cost-effective, personalized global travel solutions that bring freedom, simplicity and trust to travelers everywhere. Essential to building that trust is securing the cloud native technology supporting their innovative travel-as-a-service platform.
The company’s technology is built on AWS Fargate, a serverless compute engine that allows DevOps teams to build and deploy complex containerized applications at scale. While this eliminates most of the infrastructure management effort, the shared responsibility model requires companies like Spotnana to take ownership of the security of their applications, including the code and runtime.
Senior Security Engineer Gabriel Alexandru said that in 2022 Spotnana’s newly-formed dedicated security team was working quickly to evaluate the company’s security posture and put foundational protections in place for its AWS Fargate environment.
“We were building the security function from the ground up and lacked telemetry and protection on our AWS containers,” he said. “Without forensic evidence of what was happening on those containers, we couldn’t harden runtime and certainly couldn’t prevent anything from happening at runtime.”
Spotnana’s CI/CD pipeline includes GitHub, a mix of proprietary AWS tools, such as CodeBuild, and orchestration platforms, such as Harness and Jenkins. They needed security that would fit seamlessly into existing tools and workflows to shift security left and provide end-to-end protection from development through runtime. But Alexandru admits he thought achieving this would be a challenging endeavor. Initially, the team was merely looking for telemetry on their AWS ECS containers without knowing the full extent of protection that was possible. In fact, he didn’t think hardening containers was even an option — until he found Aqua Security.
When the Spotnana team began investigating solutions for securing AWS Fargate container environments, Aqua was the clear winner.
“Aqua Security had the most comprehensive functionality I’d seen,” Alexandru said. “It not only had full telemetry capabilities but also hardening functionality that helped us prevent running unknown binaries, cryptomining and much more.”
He found that Aqua provides the most complete cloud native security across the application lifecycle, from development to production. After a quick and smoothly executed proof of concept trial, Spotnana was ready to move forward. Alexandru said he was impressed to see the depth of controls that Aqua could enforce, and he found Aqua’s firewalling function a differentiator.
Now, Aqua is integrated within Spotnana’s software release pipelines as part of their DevSecOps workflows. Aqua can automatically scale along with Fargate environments, no matter how many Spotnana chooses to spin up. Aqua’s Dynamic Threat Analysis assesses the risks that container images pose before running in a live environment, and Aqua’s MicroEnforcer embeds into container images to protect containers wherever they are deployed. Aqua also provides additional protection by monitoring behavioral patterns and indicators of compromise, such as malicious behavior and network activity, to detect container and stop escapes, malware, cryptocurrency miners, code injection backdoors and additional threats.
Fortunately, the team at Spotnana has not seen any major threats. With Aqua, they can deploy containerized applications with confidence, knowing they will not expose their company to runtime risks.
Alexandru said his team is pleased with how easily Aqua scales to support the AWS environments and that it doesn’t show a lot of false positives that distract his team. As they expand their usage of Aqua, they plan to explore more of the platform’s vulnerability management capabilities and incorporate the development team into its work for a more collaborative DevSecOps approach. They also plan to add software supply chain security features.
“Aqua offers tremendous value. We are seeing it already, and we know there is even more,” Alexandru said. “At this point, we are a small team, so it is just a matter of taking one step at a time and finding the bandwidth to implement all of the great features Aqua offers.”
Another major benefit that led Spotnana to their decision was Aqua’s expertise in Kubernetes security because Spotnana intends to move to EKS in the future.
“Aqua is known as the leader in the Kubernetes space, and that was important to us because we will be moving there at some point in the future,” Alexandru said. “It made sense for us to go with Aqua to future-proof ourselves in the container orchestration space.”
The icing on the cake for the Spotnana security team is the industry-leading research and outreach conducted by Aqua Nautilus. Alexandru said running security for a hyper-growth startup can be all-consuming, but Aqua keeps his team updated about the latest developments and threats, like the most recent Jenkins CorePlague vulnerability, which fortunately didn’t impact Spotnana.
“Nautilus is conducting some amazing research and sharing really fantastic, thorough educational content. My team and I love it,” Alexandru said. “We appreciate that they contact us directly when something new comes up to ensure important threats are at the forefront of our attention. Then we can quickly go through the process of validating whether it impacts us. It is like having our own research team, and it is extremely appreciated.”