Seismic: Comprehensive and Continuous API Security

As a leader in sales and marketing enablement, Seismic’s business involves managing sensitive client data. To quell customer fears over data protection, Seismic replaced their costly and limited manual penetration testing program with APIsec’s automated, always-on API vulnerability and logic flaw tests.

As a Unicorn, the expectations around Seismic’s success have been mounting for years. In 2018, the company grew and rolled out API support, leading to new expectations forming around protecting confidential client information.

The Challenge: Expensive Yet Ineffective API Security

Seismic’s application was originally a browser-based application, but as demand grew for a more interoperable solution that would allow Seismic to integrate with other enterprise platforms more seamlessly, Seismic evolved into an API-driven model.

While Seismic's clients welcomed this change, their security concerns grew.

Seismic’s initial solution was manual penetration testing of their APIs, where external teams were hired to attack and find vulnerabilities. This was to be done every three weeks in an attempt to keep security monitoring as up-to-date as possible.

While this fairly frequent penetration testing was helpful, Seismic soon realized that their costs were mounting, with each round of testing costing between $15,000-$20,000.

Challenge Summary

• Seismic’s new API-driven approach had opened it up to new security risks
• Their traditional scanners and manual penetration tests, although frequently carried out, were only covering 10-20% of their APIs.
• Each round of manual penetration testing cost between $15,000-$20,000 or approximately $200,000 per year.

Solution: Automated and Integrated API Security

APIsec began with an automated API on-boarding, starting with the Swagger definition file. Consuming this definition, With the scan results in after just 24-hours, APIsec automatically built the API feature map, all the way to the business logic layer. APIsec then automatically built custom security attack vectors that reveal all the business logic flaws surrounding RBAC, ABAC, Application DoS attacks, and injection flaws that hackers could use.

The team at Seismic was able to rely on APIsec for all of their API validation requirements due to the product’s ability to execute validated requests and responses with an AI-driven Matching and Categorization engine. As the development team updates and enhances their API, APIsec automatically discovers the added API features, rebuilds the API feature map, and re-launches its bots to execute new attack vectors.

Solution Summary

• APIsec’s initial API risk discovery scanning took just 24 hours
• APIsec was deployed seamlessly into the staging environment without disruption to CI/CD workflows.
• Seismic developers could focus on building their APIs, knowing that APIsec would automatically update its attack vector playbook to scan them thoroughly.

The Results: A Wide Range of Vulnerabilities Revealed Rapidly, For a Fraction of the Cost

APIsec provided exceptional support to us throughout the on-boarding and configuration stages. Their capabilities got us testing our APIs for a broad range of vulnerabilities in a very short period of time.

Tim Dzierzek, VP of Seismic Director of Information Security

With APIsec continuously working in Seimics staging environment, Seismic eliminated the need for dynamic scanning as well as their recurring and costly manual penetration tests.

Rather, APIsec began outperforming Seismic’s legacy API security testing immediately, finding a wider range of vulnerabilities without the human capital necessary. This resulted in APIsec essentially paying for itself in just three months.

With APIsec shifting Seismic’s security protocols “left” into the CI/CD workflow, the company could now boast that they were proactive about security rather than reactive, and that their code was totally secure before it shipped.

Our customers ask us what we are doing to protect their sensitive data on Seismic, and once they see what we have done with APIsec their confidence in us grows.
- Tim Dzierzek, VP of Information Security

Results Summary

• Seismic’s manual penetration tests were replaced by APIsec’s continuous, automated testing and reporting—at a fraction of the cost
• Finally resolved questions about data security through the API layer for their customers
• Business Logic Layer API Security testing and certification allows Seismic’s team to focus on innovating
• Security processes shifted left into the CI/CD pipeline, enabling a proactive rather than reactive approach to API security and a stronger partnership between Seismic's InfoSec and DevOps teams.
• APIsec paid for itself in less the three months

Enterprise-grade API Security at a Fraction of the Cost

APIsec’s successful integration into Seismic’s CI/Cd workflow has empowered the company to keep building and growing without disruption or security risks.

The APIsec team are great partners to work with on the journey of securing our APIs. They partner with us to continue to increase the coverage and security of the API.
- Tim Dzierzek, VP of Information Security