Ada is an Automated Brand Interaction company whose award-winning platform bridges the gap between brands and the people they care about. With the power of Ada, over 320 brands have automated over 2.6 billion interactions to deliver excellent customer experiences.
Ada, like many companies, were initially focused on shipping product and innovating as quickly as possible to provide customer value. This early-stage growth left a rapidly scaling organization with a broad library of APIs (some very robust) and inconsistent API documentation. Ada’s security organization knew they wanted to embrace an automated, continuous, and proactive approach to API security that was true to their shift-left security mindset. This meant they needed to find an API security solution that would not introduce development friction nor impact platform performance.
“Ada solutions are heavy transaction systems, every layer in the system slows it down and impacts speed, which degrades the end-user experience. As a result, a critical requirement was that we find an API security solution that would deliver the right security insights and level of detail to address vulnerabilities without impacting the speed or performance of the applications. We couldn’t deploy a solution that relies upon a proxy, or agent, or wedge, or anything similar that needs to be inserted into our solutions or run in a production environment,” said Jason Barr, CISO at Ada. “This posed a bigger challenge than we anticipated as 90% of the solutions we ran across employed one of these models.”
Ada chose APIsec as a cornerstone of their API security program to ensure they had a strategy and solution that allows them to
With APIsec, Ada is able to proactively protect their APIs through automated, continuous API penetration testing to uncover and remediate the security vulnerabilities and logic flaws that can lead to breaches and data loss.
“We evaluated A LOT of API security solutions. But even the solutions that promised to run parallel, without any code or agent, or proxy to run, still had to insert something up front in order to learn our APIs and create the postman or swagger files they needed. APIsec was unique. The only requirement was that I give them our URL and from there, the APIsec solution was able to learn the each API, identify all of our endpoints, and reverse-engineer the documentation we needed to onboard our APIs. We had been trying and failing with another solution for months to get to this point.”
While many companies talk about a shift-left model, at Ada, we really embrace that. Security is a wholly separate team from development, but everything we do is centered on the belief that security is baked in from the start. That said, security pros are not developers. Without meticulous API documentation, or an understanding of how APIs are built and function, they will struggle to test them, requiring developer support which creates friction. Because APIsec helps our security team fill documentation gaps, we eliminate that point of friction. Then comes the quality and timeliness of anything security might find during our testing process. With APIsec, we capture and deliver critical insights about vulnerabilities with very little noise (false positives) and feed those insights along with the details needed to address them directly into our existing ticketing system as part of the CI/CD process.”
“Like most organizations, our security team is a fraction of our development team. It didn’t make sense to deploy full-time (internal or external) resources for API security testing for a few reasons:
APIsec gives us the ability to proactively, continuously pen test our APIs with less than a single, dedicated resource, and frees up that resource to focus additional time on only the most complex/new attack scenarios.”
“In addition to supporting our annual SOC II certification process, the continuous and detailed insights from the APIsec platform help Ada ensure we are maintaining proper cybersecurity hygiene and remain good stewards of customer data in line with GDPR and CCPA.”