Personal information (telephone number, name, etc.) and payment information that we receive is encrypted in transit.
Data stored on our systems are stored after being encrypted or hashed based on industry best practice standards.
All access to sensitive data is limited on a need-to-know basis.
Secure Design and Secure Programming
The Security team is available for all employees to consult with about any security concerns or questions they may have, and works closely together with employees to help resolve these.
Secure Coding Guidelines
Developers are provided with a set of secure coding guidelines based on version 4.0 of the OWASP Application Security Verification Standard (ASVS), to help ensure quality and security in our applications.
Secure Design Review
All major releases undergo a design review by the Product Security team. The Mercari Group follows a shift-left security philosophy and the Security team is involved from the initial stages of the software development lifecycle, ensuring the quality and security of all releases throughout every stage of their development.
Major releases undergo pre-release testing by the Product Security team.
Testing follows a threat modelling based methodology, and aims to discover and eliminate potential vulnerabilities with a focus on the OWASP Top Ten.
Releases that do not meet our strict security standards are not approved for release.
End-to-end Security Testing
The Product Security team carries out end-to-end security testing of services.
The Product Security team also offers an end-to-end security testing automation tool (built and maintained in house) to developers to allow them to discover potential vulnerabilities earlier in the development process.
Automated Vulnerability Scanning
The Product Security team carries out frequent static and dynamic analysis of applications to detect potential vulnerabilities. All vulnerabilities found through this scanning follow our vulnerability management workflow to ensure swift remediation.
Vulnerability Management Workflow
Vulnerabilities found in our applications follow a strict workflow to ensure swift remediation. Vulnerabilities are prioritized using a threat model based methodology and an SLA is agreed with development teams responsible for remediating the vulnerabilities based on the priority and urgency of the vulnerability. The Security team follows up on all vulnerabilities and ensures their timely remediation.
Third Party Penetration Testing
Penetration testing of our application and corporate environment is carried out periodically by certified third party vendors to ensure an objective evaluation of our security measures and pick up anything we may have missed in-house.
In-house Security Training
All employees take our in-house security training at the time of joining the company, and security training is provided on a regular basis in order to improve employee’s awareness.
The Security team also provides various security e-learning courses through the company’s learning management system.
Security Champion Program
In addition to training aimed at all employees, the Security team provides a Security Champion Program aimed at developers.
This program enables developers from each domain team to build hands-on security experience, and take greater responsibility in ensuring the security of their domains.
For more details see the following Mercan article
Threat Monitoring and Handling
Monitoring and Analysis
The Security team monitors systems for various indicators of attack, such as unauthorized access attempts and malware infection. The team responds promptly to significant security events and conducts a thorough investigation of potential threats.
A Security Orchestration, Automation and Response (SOAR) tool (developed and maintained in-house by the Security Engineering team) is used to centralize, monitor, and respond to alerts allowing us to adapt and respond to threats rapidly.
Protecting our users from malicious phishing attacks is a priority.
We work with external organizations and have countermeasures in place to ensure we can take-down phishing sites as quickly as possible.
Information Sharing and Cooperation with External Parties
Cyber Bosai Security Awareness Campaign
The Mercari Group takes part in the Cyber Bosai security awareness campaign run annually by LINE, together with other IT industry leaders in Japan including AU, DeNA, DMM.com NTT Docomo, GREE, Softbank, and Yahoo!
Nippon CSIRT Association Member
The Mercari Group is a member of the Nippon CSIRT Association.