EstateSpace, a brand of Griffin Global, is an asset management software that helps high-net-worth families manage their estate.
Through their suite of services, EstateSpace provides tools to help wealth and estate managers streamline the management of estates.
As the EstateSpace application grew in popularity, the issue of security grew alongside it. Estate managers and wealthy families began asking about the security measures in place to protect their most sensitive data. The only problem was, EstateSpace had no security team to provide the answers and assurances that potential clients needed.
EstateSpace first tried working with a third-party manual penetration testing firm, only to find that they’d need to pay out large sums of money for just a handful of tests per year. Moreover, the penetration tests weren’t covering their 150 API endpoints.
EstateSpace’s developer team also tried hard to spot security vulnerabilities early in the development process, to stop them ever going live. While this was wise, it wasn’t a total solution by itself. Plus, asking developers to manually inspect and fix their code for security issues and API logic flaws is a surefire way to disrupt development workflows and agile development processes.
A further challenge of identifying potential security gaps is to not disrupt the development and test flow of the engineers. This means that the tooling needed to play within the existing DevSecOps infrastructure.
- Matt Jenks, CTO/CSO
As they searched for a DevSecOps-ready API security solution, EstateSpace soon came across APIsec, finding them to be the perfect fit.
We quickly deployed APIsec into EstateSpace’s development pipeline, meaning that as their developers write software, and as they're updating the logic of the application, APIsec is automatically scanning for vulnerabilities in the background.
This eliminated the need for developers to do these checks manually, and uncovered more vulnerabilities as well as business logic flaws, as APIsec was able to generate over 1,500 playbooks to continuously test each endpoint.
“We addressed our challenges by selecting APIsec to augment our Cybersecurity testing against our API. APIsec was a natural fit.”
“Through the use of playbooks each designed for a particular vulnerability type, APIsec was able to quickly generate approximately 1500 playbooks against over 150 API endpoints, testing thousands of potential vulnerabilities.”
“We found APIsec to be a great partner to work with overall, but especially when it came to our DevSecOps tooling.
This provided developers with all the information needed to debug and identify the source of the defect, resulting in faster closure rates for privilege escalation related defects.”
Before long, APIsec was providing the EstateSpace development team with rich reports, alerting them to every API vulnerability discovered.
EstateSpace has over 150 API endpoints, which could potentially produce thousands of API logic flaws. Despite this, APIsec was able to automatically and continuously test every endpoint and every line of code within the development pipeline, optimizing EstateSpace’s DevSecOps strategy, rather than disrupting it.
Thanks to APIsec being embedded in the development workflow, EstateSpace—and their high net worth customers—could feel safe knowing that API vulnerabilities were never seeing the light of day.
Finally, EstateSpace was able to realize all of this value at a relatively low cost compared to hiring an in-house or even outsourced security team. Resultantly, the ROI was proven by streamlined development processes and by EstateSpaces' minimal costs coming out the other end of APIsec's implementation.
APIsec’s initial scan and reporting process takes just 24-hours. With EstateSpace, the entire implementation process was complete in well under a month.
With APIsec as a partner, our privilege escalation testing was put together in under a month, resulting in a great return on investment as the total cost is well below the cost of a single security test engineer.
- Matt Jenks, Griffin Global CTO