Health Tech Firm Secures APIs, Sees ROI in 30 days

"After working with APIsec, our technologists were impressed with the approach and capabilities. Today it is our biggest bang for our security buck.” The Health Tech Firm CISO
Published: 
April 1, 2022
Read Time:
4 min read

Founded in 2017, this Health Tech firm found itself growing exponentially both in terms of users and features. With HIPAA and HITRUST compliance at the top of their priorities list, the client needed to find a solution that could marry a fast-moving CI/CD pipeline with enterprise-grade API security.

Our client, a renowned health technology startup, was well aware of the expectations surrounding their development security strategy, not to mention the potential ramifications of a data breach.

While HIPAA and HITRUST compliance were a priority, the startup didn’t want security measures to hinder the speed at which their platform was evolving—and it was evolving quickly. In fact, their developers were writing code and pushing it directly into production, bypassing any form of staging environment for the sake of speed, but in spite of security concerns.

The Challenge: Balancing Speed and Compliance

After evaluating the fundamentals of their DevSecOps strategy, which was heavily reliant on dynamic scanning, bug bounties, and manual pen tests, the CISO of our client knew the engineering team and the product itself was releasing too quickly for these relatively slow security measures. There was no staging environment where security tests could be performed rather a developer could push to production without security ever testing.

Our client realized that their security had to be built into the development process. Moreover, traditional static code analyzers can’t mitigate the risk when the breaches are due to business logic vulnerabilities.

Challenge Summary

  • The client needed to achieve HIPAA and HITRUST compliance
  • Their in-house developers were not security experts
  • Delaying the release of new product features to do security testing was not an option
  • Their push to production environment required fast quick assessment of API security flaws

Solution: API Security Built Into the CI/CD Pipeline

To balance speed with security, APIsec was first introduced into the staging environment phase. There, APIsec automatically injected attack vectors, and the AI-driven exploit reporting and remediation engine began to highlight the most critical issues, along with suggestions on how to solve them.

APIsec also reacts to the changes made by the development team. APIsec automatically detects any new APIs, endpoints, or added API features, rebuilds the API logic model as a result, and then creates new attacks/tests.

This all happened seamlessly, without developer input. By placing APIsec into the development workflow, the client’s security measures “shifted left”, from post-production reactive measures to pre-production proactivity.

Solution Summary

  • APIsec’s initial API security scanning took a few hours to deploy
  • APIsec was deployed seamlessly into the CI/CD process without disruption to development, the developers became aware of issues as they were coding
  • With detailed reports and suggested fixes, developers actually saved time, enabling them to focus more of their efforts on coding new features.
  • Security became part of the developers remit, instead of the responsibility of another team.

The Results: Enterprise-grade API Security, Rapid ROI & the Confidence to Build Faster

After working with APIsec, our technologists were impressed with the approach and capabilities. Today it is our biggest bang for our security buck.
- The Health Tech Firm CISO

As a result of deploying APIsec, the client eliminated the need for dynamic scanning as well as costly manual penetration tests. They also greatly reduced their bug bounty program.

The deployment of APIsec enabled the client to close its traditionally open window of vulnerability. Whereas before, manual penetration tests and sporadic bug bounties spotted (some) issues, today APIsec is always on, always testing, and always reacting to new code from developers.

Results Summary

  • Replaced irregular, manual penetration tests with continuous, automated testing and reporting.
  • Generated immediate, measurable ROI based on reduced security costs alone.
  • Removed burden of Business Logic API testing, allowing client’s team to focus on building great products.
  • Integrated security testing into the CI/CD pipeline (“shift left”), enabling proactive rather than a reactive approach to API security.

Enterprise-grade API Security at a Fraction of the Cost

APIsec is able to bring API security to this Health Tech giant at a fraction of the cost of manual methods, bringing in coverage and protections at the speed of their development.

Similar Case Studies

Check out how some of the world's most successful companies use APIsec to protect their APIs