Our client, a renowned health technology startup, was well aware of the expectations surrounding their development security strategy, not to mention the potential ramifications of a data breach.
While HIPAA and HITRUST compliance were a priority, the startup didn’t want security measures to hinder the speed at which their platform was evolving—and it was evolving quickly. In fact, their developers were writing code and pushing it directly into production, bypassing any form of staging environment for the sake of speed, but in spite of security concerns.
After evaluating the fundamentals of their DevSecOps strategy, which was heavily reliant on dynamic scanning, bug bounties, and manual pen tests, the CISO of our client knew the engineering team and the product itself was releasing too quickly for these relatively slow security measures. There was no staging environment where security tests could be performed rather a developer could push to production without security ever testing.
Our client realized that their security had to be built into the development process. Moreover, traditional static code analyzers can’t mitigate the risk when the breaches are due to business logic vulnerabilities.
To balance speed with security, APIsec was first introduced into the staging environment phase. There, APIsec automatically injected attack vectors, and the AI-driven exploit reporting and remediation engine began to highlight the most critical issues, along with suggestions on how to solve them.
APIsec also reacts to the changes made by the development team. APIsec automatically detects any new APIs, endpoints, or added API features, rebuilds the API logic model as a result, and then creates new attacks/tests.
This all happened seamlessly, without developer input. By placing APIsec into the development workflow, the client’s security measures “shifted left”, from post-production reactive measures to pre-production proactivity.
After working with APIsec, our technologists were impressed with the approach and capabilities. Today it is our biggest bang for our security buck.
- The Health Tech Firm CISO
As a result of deploying APIsec, the client eliminated the need for dynamic scanning as well as costly manual penetration tests. They also greatly reduced their bug bounty program.
The deployment of APIsec enabled the client to close its traditionally open window of vulnerability. Whereas before, manual penetration tests and sporadic bug bounties spotted (some) issues, today APIsec is always on, always testing, and always reacting to new code from developers.
APIsec is able to bring API security to this Health Tech giant at a fraction of the cost of manual methods, bringing in coverage and protections at the speed of their development.