Tongal

Creating content for major brands wasn’t always an easy field to break into. At least not before entrepreneur Rob Salvatore co-founded Tongal. Using the principles of crowdsourcing, Tongal connects the world’s biggest brands to a network of professional content creators who “unlock creative possibilities” through original video campaigns.

“We have a community of everybody,” explained Rob. “It’s not just filmmakers; we have producers, animators, actors. Anybody could have a good idea, and that’s the premise we’ve built on. People can be brushing their teeth, in the shower, driving to work and have a spark. Our platform gives them a way to get rewarded for those ideas.”

As the platform grew in terms of activity, users and transactions, it occurred to Rob and his team that their application could be susceptible to malicious behavior. Since they were working with big brands (with lots of sensitive intellectual property) they figured it was better to be safe than sorry.

“We had always developed our platform from a functional perspective,” said Rob. “We rarely thought about our design in terms of how a hacker might look at it. Once you start thinking like that, it introduces a whole other dynamic. Thankfully we found uTest to help us with security testing.”

This brief case study will highlight how Tongal used a fellow crowdsourcing company to ensure their platform wasn’t only functional, but secure enough for their enterprise-level customers.

Tongal: Meeting Enterprise Security Expectations

As Tongal attracted some of the biggest companies in the world, it became clear that those new customers expected Tongal’s platform security to be on the same level as the brands’ own security practices. Thus, Tongal turned to uTest’s white-hat security experts to check for common vulnerabilities like XSS and other issues. In addition, the testers were also told to probe for other security vulnerabilities at their own discretion (on a staging environment, of course). Unsure of what to expect, Rob and his team were immediately impressed.

“They really tried to understand what permissions we were using and how they could be exploited by malicious persons,” said Eugene Retunsky, the company’s lead developer. “For example, they explored the API and found out how to hack a file, how to change a password in a file, how to move a file and how to take possession of a file. Those things had never happened before, but they those are the type of issues that can do a lot of damage.”

Rob and Eugene, who had been testing the site themselves, developed a deep appreciation for the role that security testing plays in the greater QA process.   

“I don’t think we realized exactly how vulnerable things were,” said Rob. “We learned a lot from them.”