EstateSpace: Cost-effectively Securing Highly Sensitive Data

EstateSpace, a brand of Griffin Global, is an asset management software that helps high-net-worth families manage their estate.

Through their suite of services, EstateSpace provides tools to help wealth and estate managers streamline the management of estates.

As the EstateSpace application grew in popularity, the issue of security grew alongside it. Estate managers and wealthy families began asking about the security measures in place to protect their most sensitive data. The only problem was, EstateSpace had no security team to provide the answers and assurances that potential clients needed.

The Challenge: API Security, Without a Security Team

EstateSpace first tried working with a third-party manual penetration testing firm, only to find that they’d need to pay out large sums of money for just a handful of tests per year. Moreover, the penetration tests weren’t covering their 150 API endpoints.

EstateSpace’s developer team also tried hard to spot security vulnerabilities early in the development process, to stop them ever going live. While this was wise, it wasn’t a total solution by itself. Plus, asking developers to manually inspect and fix their code for security issues and API logic flaws is a surefire way to disrupt development workflows and agile development processes.

A further challenge of identifying potential security gaps is to not disrupt the development and test flow of the engineers. This means that the tooling needed to play within the existing DevSecOps infrastructure.
- Matt Jenks, CTO/CSO

Challenge Summary

• As EstateSpace expanded, their high-net-worth customers began wondering about the protections around their highly sensitive data
• EstateSpace had no security team, and were wary of the time and high costs involved in building one
• Manual penetration testing was proving to be costly and unable to cover all of EstateSpace’s API endpoints.
• EstateSpace also wanted a solution that would not disrupt their development speed.

Solution: Automatic Coverage of over 150 API Endpoints

As they searched for a DevSecOps-ready API security solution, EstateSpace soon came across APIsec, finding them to be the perfect fit.

We quickly deployed APIsec into EstateSpace’s development pipeline, meaning that as their developers write software, and as they're updating the logic of the application, APIsec is automatically scanning for vulnerabilities in the background.

This eliminated the need for developers to do these checks manually, and uncovered more vulnerabilities as well as business logic flaws, as APIsec was able to generate over 1,500 playbooks to continuously test each endpoint.

“We addressed our challenges by selecting APIsec to augment our Cybersecurity testing against our API. APIsec was a natural fit.”

“Through the use of playbooks each designed for a particular vulnerability type, APIsec was able to quickly generate approximately 1500 playbooks against over 150 API endpoints, testing thousands of potential vulnerabilities.”

“We found APIsec to be a great partner to work with overall, but especially when it came to our DevSecOps tooling.

This provided developers with all the information needed to debug and identify the source of the defect, resulting in faster closure rates for privilege escalation related defects.”

Before long, APIsec was providing the EstateSpace development team with rich reports, alerting them to every API vulnerability discovered.

Solution Summary

• APIsec was able to nestle into EstateSpace’s existing development pipeline without disrupting it in the slightest.
• After generating over 1,500 playbooks, APIsec was automatically and continuously testing and reporting on potential vulnerabilities, saving the development team valuable time.
• EstateSpace developers no longer needed to manually vet, test, or debug code.

The Results: Tangible API Security, Tangible ROI

EstateSpace has over 150 API endpoints, which could potentially produce thousands of API logic flaws. Despite this, APIsec was able to automatically and continuously test every endpoint and every line of code within the development pipeline, optimizing EstateSpace’s DevSecOps strategy, rather than disrupting it.

Thanks to APIsec being embedded in the development workflow, EstateSpace—and their high net worth customers—could feel safe knowing that API vulnerabilities were never seeing the light of day.

Finally, EstateSpace was able to realize all of this value at a relatively low cost compared to hiring an in-house or even outsourced security team. Resultantly, the ROI was proven by streamlined development processes and by EstateSpaces' minimal costs coming out the other end of APIsec's implementation.

Results Summary

• All 150+ API endpoints are now secured and continuously tested by APIsec.
• Compared to a handful of manual penetration tests per year, APIsec has successfully closed EstateSpace’s window of vulnerability thanks to always-on scanning and testing.
• EstateSpace has realized tangible ROI by saving time for developers, and avoiding the need to hire a fully fledged security team.

Holistic API Security In Under a Month

APIsec’s initial scan and reporting process takes just 24-hours. With EstateSpace, the entire implementation process was complete in well under a month.

With APIsec as a partner, our privilege escalation testing was put together in under a month, resulting in a great return on investment as the total cost is well below the cost of a single security test engineer.
- Matt Jenks, Griffin Global CTO