Fostering a security-first culture at Mews: Inside our security controls

Amateur musician and chef, professional cybersecurity nerd. I enjoy loud music, spicy food, and helping people innovate securely.

Cybersecurity attacks are on the rise across all industries, especially within hospitality, where high-profile breaches are disclosed at an alarming rate. Now more than ever, it feels important for organisations to be transparent about security for both their customers and the market they serve. One of Mews’ core values is: ‘We’re Open,’ and the goal of this post is to extend that openness to our security approach and dedication to providing a foundation of trust and safety to our employees, customers, and platform users.

Mews’ dedicated Product Security team has integrated a myriad of security controls into our Software Development Life Cycle, aiming to empower development teams to proactively identify and mitigate security risks at every stage of development. We’ll cover some of these controls in this post. In future posts, we’ll share more about the wider security landscape at Mews, addressing topics like incident management, infrastructure security, zero trust, and least privilege.

Security within the SDLC

Fostering a security-first culture: Developer training 

“You cannot inspect quality into a product. The quality is there or it isn’t by the time it’s inspected.” – W Edwards Deming. 

Security, like quality, needs to be “shifted left” – that is, moved as early as possible in the software delivery process. This reduces the cost of remediation and avoids passing defects downstream, where the repair cost is significantly higher. Shifting left on security starts before a line of code is even written; it starts with humans. The human element is a critical aspect of cybersecurity, making education and security culture a first line of defence. At Mews, security is woven into the fabric of how we deliver software. Mews invests in the continuous training and education of its developers to ensure they stay abreast of the latest security threats and best practices. Mews also runs Hack Days, Capture the Flag (CTF) events, and hands-on security exercises to foster positive changes in the security culture and mindset. 

Code integrity: SAST & Secrets Detection 

To reduce the likelihood of bugs or vulnerabilities getting into our codebase, we conduct Static Analysis and Secrets Detection scans across our entire code landscape. These scans ensure potential vulnerabilities are identified and addressed before the application even reaches the testing phase, and this significantly cuts down on the time and effort required for remediation as opposed to detection later in the development cycle.

Photo: Glen Carrie from Unsplash (Lego) via

Managing open-source risks: Software Composition Analysis (SCA)

Open-source components are a fundamental building block in modern software but can often introduce security risks when not managed properly. Mews utilises SCA tooling to mitigate risk associated with third-party libraries and components by checking for known vulnerabilities in open-source code. Additionally, we mandate that these are retrieved through secure channels which are validated, ensuring that the entire software supply chain remains resilient against potential security threats. Mews finally backs this up with an established Open-Source Software Policy, and the Product Security team provides developers with OSS guidance alongside this. 

Attack simulation: Dynamic & penetration testing 

Once the software is built, we leverage some additional controls, and we’ll talk about two of them here. Firstly, automated testing is in place through Dynamic Application Security Testing (DAST), an automated control that moves beyond code analysis by automating real-world attacks on our applications. It provides visibility of additional vectors that attackers may use to exploit our systems. This allows us to uncover vulnerabilities that might only surface at runtime and ensures the application’s resilience in actual deployment scenarios. We naturally also leverage ongoing penetration testing, which gives us broader visibility of external attack vectors.   

Harnessing the power of the crowd: Bug bounty programme 

We recognise that no security model is foolproof, and there is no solution to removing risk entirely. To mitigate some of the remaining risks in our production systems, Mews has implemented community-driven security testing via a bug bounty programme. This programme creates a channel for ethical hackers to collaborate with us responsibly and disclose vulnerabilities. It allows us to address issues before they can be exploited by malicious actors and complement internal tooling and processes with external validation.

Would you like to work with us?

Not sure when you read this post, but hopefully, there is some role suited for you right now. If not, there will be eventually. ✌️

Photo: Diego Jimenez via

The future

We are diligently working on many exciting enhancements as well as entirely new security capabilities for 2024 and beyond. Mews will continue to prioritise a ‘security-first’ mindset and approach, where we will bake security in rather than bolt it on, with infrastructure that provides security guardrails and self-service for our Product Teams. The vision is to rapidly stand up new services and capabilities, where all the above guardrails and more are automatically in place for our builder teams, ensuring ‘security out of the box’. We’ll also continue reinforcing a positive security culture and early engagement by expanding our threat modelling proficiency and adopting a Security Champions programme. 

Look for future updates on our work with security at Mews in 2024 and beyond.

Have product security questions or experiences to share? Find me on LinkedIn!


Amateur musician and chef, professional cybersecurity nerd. I enjoy loud music, spicy food, and helping people innovate securely.

More About