Rapid growth meant Wolt’s infrastructure expanded from a few servers to several hundred in a short period of time, creating gaps in visibility.
As Wolt added more developers and cloud services, security needed to manage the risk to its infrastructure across teams, without being a blocker to getting work done.
Wolt needed visibility across its cloud environment and a better understanding of the complexities of interactions between services.
With greater visibility across its growing cloud environment Wolt can detect issues before they become larger problems.
Wolt automated security notifications and integrated Wiz with Slack to operationalize alerts, so teams could share data more easily and react to threats faster.
Wolt was able to gain an understanding of how different services within its AWS cloud interacted, so it could fix issues in one system without impacting a connected one.
Anything you can possibly imagine, delivered
Wolt is on a mission to make cities better places to live by providing people with fast and reliable deliveries of (almost) anything they want, as well as providing additional sales to local merchants and restaurants and flexible earnings to local couriers.
Wolt’s online platform connects people looking to order food and other goods with people interested in selling and delivering them. To enable this, Wolt develops a wide range of technologies from local logistics to retail software and financial solutions – as well as operating its own grocery stores under the Wolt Market brand. Wolt’s products include Wolt+ (subscription service for customers), Wolt at Work (meal benefits and office deliveries for companies), Wolt Drive (fast last-mile deliveries for merchants) and Wolt Self-Delivery (service for merchant partners with their own delivery staff). Wolt’s mission is to make cities better by empowering and growing local communities. Wolt was founded in 2014 in Helsinki, Finland and joined forces with DoorDash in 2022. DoorDash operates in 27 countries today, 23 of which are with the Wolt product and brand.
With a network this large and growing, the security challenges are endless.
The security team considers itself a business enabler, fostering collaborative relationships with all teams throughout the company. “We are the Department of Yes; we want to enable our employees to do what they do best. We don’t say no—we ask how,” says Tomi Tuominen, Wolt’s VP of Security.
The company was born in AWS and is currently running its own self-hosted Kubernetes clusters. “It started simple,” says Tuomas Vähänen, Security team member at Wolt. “We had a couple of databases, and now we have 200. Managing them is a full-time job.”
Managing the impact of growth on infrastructure and people
As Wolt added more developers to the team and built new products and services, the challenges to manage and secure its growing cloud footprint became clear. AWS offered hundreds of services, but the interactions between those services increased the complexity of securing them.
“It’s very difficult to secure something that is constantly changing. You might change a configuration to make something more secure and then realize it’s used by another Amazon service that will expose you elsewhere,” says Adi Shammout, Security team member at Wolt. “The complexity was increasing rapidly as our cloud footprint was growing, and we needed to do something to gain control.”
Compensating for a mix of new and tenured employees also presented unique challenges. People bring different processes with them, so Wolt needed to see how teams were working, not just what they were working on. How could security standardize processes without being a blocker to getting work done? Tuominen points out that when you’re onboarding 100 people per week, you must be mindful of all your processes, and they need to be extremely well documented.
When services are growing fast, it means more cloud resources are being created. It can be time-consuming, costly, and stressful to stay on top of that. Visibility becomes the biggest issue.
Adi Shammout, Security team member, Wolt
At Wolt’s scale of operations, looking for individual findings or vulnerabilities becomes impractical. To faster identify issues in development, Wolt shifted its thinking to be more efficient and began to scan code and infrastructure earlier in the process. This way, Wolt was able to avoid having to dedicate more resources to find and fix a problem later on. Wolt’s team needed to find a solution that helped them avoid any bugs - seamlessly.
“We’re always trying to shift left; we’re always trying to eliminate complete vulnerability classes or clusters of issues in one shot,” says Tuominen. “We wouldn’t have chosen a tool that doesn’t provide value and time efficiency on everyday use.”
Seeing is believing.
Wiz was first deployed in 2020 and was instrumental in helping the security team stay ahead of the company’s rapid growth. Wolt immediately found value in Wiz’s agentless scanning, with its simple deployment, comprehensive coverage, and minimal required management. In addition, Vähänen points out that being on Kubernetes made the agentless deployment for Wolt’s AWS account easy.
Wolt identifies and remediates misconfigurations in its build time and runtime and enforces its own carefully designed custom policies with a built-in compliance framework using Wiz. All infrastructure teams across Wolt access Wiz and are responsible for remediating issues in their own purview, freeing up the security team to focus on higher-value projects.
The security team monitors the organization’s growing resources across its cloud environment using Wiz’s easy-to-read dashboard. “The peace of mind you receive once you open the Wiz dashboard and realize everything is going to be OK has tremendous emotional impact,” says Shammout.
Additionally, the Wiz Security Graph helps Wolt security teams save even more time by prioritizing the most important issues with the context to evaluate the entire attack surface. “It helps connect the dots,” says Vähänen. Some teams are even using the Wiz Security Graph for operational purposes and not just security, leveraging the data it produces to track connectivity across different nodes.
Being able to offer this visibility internally is critical. It’s not just about the security team. Wiz facilitates collaboration across all teams.
Tomi Tuominen, VP of Security, Wolt
Best of both worlds
The ability to see what teams across the organization are working on gives Wolt the confidence to encourage business as usual. It can automatically notify the appropriate team when an issue is detected, avoiding gating processes that disrupt workflow. By integrating Wiz with Slack, the most relevant team members are alerted immediately and can get things fixed faster. Teams can also quickly get on the same page about what the issues are and how to prevent them in the future.
“The biggest thing is having observability over your whole cloud presence,” says Tuominen. “We don’t want to be a blocker. We want the product teams to be able to do what they do best and deploy whatever they want, but if they are not complying with our security standards, we can see that and help them work in a safer environment.”
All in a day’s work
Wiz has already proven itself in helping Wolt to tackle significant cyberthreats. Wolt’s security team first learned about a vulnerability in logging software Log4j at 8 a.m. on the morning it appeared. They had hundreds of microservices, each needing its own web application firewall, so they could block the Log4j payloads. But by 11 a.m., they had already blocked all of the most critical assets for the initial payloads. And less than 24 hours later, they could confirm that no vulnerabilities went through. “This would have been a huge job without the visibility that Wiz provided us,” says Vähänen. In the end, Wiz helped Wolt identify what needed to be prioritized and blocked any Log4j from infiltrating the server cluster.
Wiz was extremely useful with Log4j. It allowed us to evaluate our real attack surface. Knowing what you have out there is half the battle.
Tomi Tuominen, VP of Security, Wolt
Being mindful of how security spends its time.
Throughout the growth over the past years, Wiz has been able to help maintain the delivery platform’s security posture. “You need to have visibility. Otherwise, this won’t work. Wiz understands how attackers work, and the concept of attack graphs and maps,” says Tuominen. “It’s one step at a time, jumping through hoops, pivoting to do different things.”
Wolt understands that to keep growing while maintaining the security of its platform, it needs continued visibility. In its growth journey, the company will rely on Wiz to maintain its security hygiene while moving forward with confidence.