Case study · Axos

Axos replaces quarterly pen tests with continuous validation

A digital bank replaced expensive quarterly pen tests with continuous validation across 700+ APIs.

700+
APIs validated
50%
lower testing cost
300+
issues resolved in Q1

The challenge

Axos ran quarterly, externally sourced penetration tests that were expensive and left 90-day gaps between checks. Across hundreds of applications, from mortgages to account services, it was nearly impossible to staff experts for every app.

What they did

Axos partnered with apisec for automated, continuous validation across its entire API network, with tests at every build and detailed, actionable reporting after each run.

The outcome

Axos now validates 700+ APIs continuously, cut testing cost by 50%, and detected and remediated 300+ issues in the first quarter, while cutting time to remediate by 70%.

About Axos

Company: Axos
Founded: 2000
Industry: Banking and Financial Services
Mission: Born digital, we challenge the status quo by liberating you from the constraints of traditional banking. With technology-driven financial services that evolve to meet your needs, we help you stay ahead in life and business.

Axos, a leader in digital banking, offers a range of services, including mortgages, account openings, credit card services, and money transfers. As they expanded, ensuring continuous Application security became critical to protect their extensive application ecosystem.

The Challenge: Achieve Continuous Validation of Application Security Across a Complex and Vast API Ecosystem

Axos needed to address gaps in its security checks that left it vulnerable to API exploitation. Its quarterly, externally sourced pen testing was expensive and insufficient for complete application security coverage, and the 90-day intervals between tests left potential security flaws unaddressed for too long.

Key Goals:

  • Achieving continuous application security coverage.
  • Real-time validation of application security to promptly address potential threats.

Axos needed to address gaps in its security checks that left it vulnerable to API exploitation. Its quarterly, externally sourced pen testing was expensive and insufficient for complete application security coverage, and the 90-day intervals between tests left potential security flaws unaddressed for too long. Axos faced significant hurdles due to the sheer volume and complexity of its API ecosystem. With hundreds of applications ranging from mortgages to account services, each application varied in complexity and data requirements.

Key Challenges:

  • Managing a vast number of applications with varying complexities.
  • Finding security talent capable of addressing the diverse security needs of all applications.
  • Ensuring internet-facing applications were secure against external threats.

With hundreds of developers working across numerous applications, it was virtually impossible to find security experts capable of handling the security demands for all apps.

The Solution: Automated and Continuous API Testing

Axos partnered with apisec, the industry’s only automated and continuous API testing platform. apisec's AI-based platform pressure-tested the entire API network, ran continuous scans throughout development, and delivered detailed reports after each test.

Key Features Leveraged:

  • Advanced testing of the entire network of applications.
  • Continuous validation, including on-demand and new-release testing.
  • Identification of vulnerabilities with actionable intelligence for developers.
  • Integrated reporting to streamline development workflows.

The Business Impact

apisec mitigated vulnerabilities and provided Axos with the necessary security coverage without disrupting their intricate applications and development processes.

Application Security Coverage:

  • Number of APIs covered: 700+
  • Frequency of automated tests: Continuous, with tests at every build completion

Cost Savings:

  • Reduction in manual pen-testing costs: 50%

Vulnerability Detection:

  • Number of vulnerabilities detected and remediated: 300+ in the first quarter

Time to Remediate:

  • Average time to remediate identified vulnerabilities: Reduced by 70%

Integration Efficiency:

  • Time to integrate apisec: <1 week

Operational Efficiency:

  • Reduction in security-related disruptions: 40%
  • Number of actionable reports generated: 150+ per month

Developer Productivity:

  • Time saved on security testing: 30% reduction in manual efforts

Compliance:

  • Compliance standards maintained: SOC II, GDPR, CCPA

Incident Response Improvement:

  • Reduction in mean time to detect (MTTD) and mean time to respond (MTTR): 50%

Looking Ahead: Sustaining Security Excellence

Axos is committed to maintaining and enhancing its application security practices with a focus on the following:

  • Expanding Testing Coverage: Broadening the scope of application security tests to cover new functionalities and services.
  • Enhancing Automation: Increasing automation in security processes to reduce manual intervention and accelerate response times.
  • Ongoing Training: Investing in continuous training for development and security teams to stay updated with the latest security practices and threats.
  • Collaborating with apisec: Leveraging new features and updates from apisec to enhance their security posture.

By prioritizing these areas, Axos aims to maintain robust API protection and ensure the highest standards of security and reliability for its customers

·