Case Study: How Paidy Cut Their Pen Testing Budget in Half With APIsec

Paidy is a popular online payment platform primarily serving the Japanese market.

Using machine learning, the application determines the creditworthiness of a consumer related to a particular purchase and underwrites those transactions in seconds, guaranteeing payments to merchants.

As the platform was adopted by more and more partners, figuring out an effective way to ensure continuous API security testing quickly became their top priority.

The Goal: Fully Automated API Security Testing 

With APIs well on their way to becoming the primary attack vector for cybercriminals, it was critical for Paidy to expand their API security testing coverage to reduce their risk footprint.

To achieve full API security coverage, tests needed to be run every time an update was released to any API that integrated with their platform. This would close the window of vulnerability from when a cyber threat was exposed to when it was detected.

Boosting API security testing would help them prove to their integration partners that Paidy's APIs were secure, a major selling point for any FinTech company.

The Challenge: Limited Internal Resources

Paidy tried to solve the issue with their internal resources to manually write and execute test cases - which worked to a degree, but was only run annually, leaving far too long of a period of vulnerability. It was evident that Paidy struggled internally because they lacked two key resources:

1. A large dev team required for consistent manual pen testing
2. Specific expertise required to build and execute an API testing process

From an API security perspective, every endpoint, every call, every input parameter, every method is a potential vulnerability that attackers can abuse to reach their malicious goal. With most vulnerabilities occurring in the logic above the API - the constant changes in the application layer create new API security threats with every release or update. This leads to the need for a complete API security check each time you make any changes to the source code of your application.

After running an external pen test with a third party, Paidy realized that deploying internal resources would not be enough to ensure full API security testing coverage. Another option needed to be explored.

The Solution: Deploying the Industry's Only Automated and Continuous API Testing Platform

When Paidy realized it was time for a new partner to boost their security, they brought in APIsec.

As an AI-based solution, APIsec provided a platform to continuously scan their APIs for vulnerabilities, generate custom-tailored attack scenarios, and create detailed reports after each security check.

Specifically, after looking into their situation, APIsec took four actions that would give Paidy everything they were looking for:

1. Creating custom security tests for their application.
2. Continuously running those tests against their application after every update - or on-demand when needed.
3. Interpreting the results of those tests to uncover true vulnerabilities and providing actionable items to address.
4. Integrating the findings directly into the workflows for Paidy’s developers to quickly and effectively tackle the identified issues.

Instead of adding more complexity to Paidy’s processes, these measures helped APIsec seamlessly integrate into their systems to come up with tickets for the team based on the reports generated by the API attacker.

APIsec provided the Paidy team with the support they needed to use the platform to its full potential with hands-on training while ensuring a safe testing environment with RBAC role-based access for anonymous different users and admins.

The Impact: Complete Application Testing through API on Every Release While Saving 50% of the Pen Test Budget

As a result of their new continuous testing model, Paidy achieved complete application testing through API on every single release.

Unlike the ad-hoc model, continuous testing gave them actionable reports on every release to have an audit trail for all security testing.

APIsec managed to lift the burden of writing and executing thousands of tests off of Paidy’s shoulders. With APIsec, Paidy can now instantly capture API vulnerabilities as they occur while saving resources, adding extra security, and eliminating human error from the equation.

Paidy saved roughly 50% of their manual pen test budget with their new API testing model built with APIsec.

Paidy’s success did not go unnoticed. In 2021, the company was acquired by PayPal for an astounding $2.7 billion. 

Do you want to join Paidy and some of the world’s most successful companies that rely on APIsec to protect their APIs? Get in touch with our team today to schedule a demo or get a free vulnerability assessment.