Slimstock: From Monolithic to API-based Architecture

“As we looked towards building our API focused products we were at a cross-road; do we build API Security validations ourselves or do we leverage external companies." Daan Majoor - CTO
February 12, 2022
Read Time:
5 min read

The Business Impact:

Slimstock software’s transition from on-premise monolith to API-based SaaS was no simple feat. Slimstock, the Colorado-based inventory management system founded in 1993, was originally built as a monolithic, on-premise software. It was designed to be downloaded and hosted locally by manufacturers, wholesalers, and retailers.

When customers began asking for a SaaS (Software as a Service) solution in place of the on-premise solution, Slimstock knew they needed to transition away from a monolithic architecture, and towards a leaner, API-based architecture.

The Challenge: Third-party Involvement and Mounting Costs

As the Slimstock team modernized their application, they adopted an API-focused approach to achieve increased agility and remediate feature gaps at lower costs. This API-focused model allowed them to innovate with Mobile and Web interfaces. However, their customers wanted to be able to access the application’s data through APIs directly.

Slimstock needed to test and validate their APIs in-house. This is time-consuming and challenging, as Slimstock would have had to build a team of API security experts, validate every release, and build test cases as things changed. To make matters slightly more complicated, Slimstock was working with a third-party engineering team to develop their SaaS.

As we looked towards building our API focused products we were at a cross-road; do we build API Security validations ourselves or do we leverage external companies. APIsec impressed us with what they were able to do quickly and the price to value ratio was incredible.
- Daan Majoor - CTO

Challenge Summary

  • Slimstock was transitioning from a monolithic on-premise application, to a cloud-based SaaS model
  • Slimstock customers wanted direct API access
  • To make this all happen securely, Slimstock would need to build a team of API security experts, validate every release, and manually test regularly—all of which would send costs skyrocketing.

Solution: A Simple Remedy for a Complex Problem

After evaluating this costly problem and trying a manual penetration testing firm, they soon realized that the manual testing only covered a small portion of their 700 API endpoints. Before long, Slimstock reached out to APIsec.

Firstly, Slimstock needed help securing exposed APIs with confidential data. Secondly, they needed a solution that would work despite a third-party engineering team working away in the background. Thirdly, Slimstock needed assurances that the solution would work even though they had no in-house API or cyber security team. APIsec ticked all the boxes.

Unlike their previous manual penetration tests, which were only checking for vulnerabilities, APIsec began testing Slimstock’s API for business logic flaws, which are a popular way for hackers to gain access to confidential data.

Solution Summary

  • APIsec’s initial API risk discovery scanning took just 24 hours
  • APIsec was deployed seamlessly into the staging environment without disruption to the CI/CD workflow of the third-party engineering company.
  • Slimstock no longer needed to hire in-house API security experts, as APIsec was handling the automated testing and reporting for them.

The Results: Pre-emptive & Cost-effective API Security

Despite Slimstock’s API having over 500 endpoints, APIsec nestled into the staging environment to provide automated vulnerability and logic testing with total coverage.

Before long, Slimstock could inform their customers, partners, and investors that they weren’t just protecting against API attacks, they were actively preventing them, too.

Results Summary

  • All 500 API endpoints are now secured and continuously tested by APIsec.
  • Slimstock’s window of vulnerability has been closed from one manual penetration test per year, to tests taking place at every build completion.
  • Rather than spending $20,000-$50,000 per year on manual pene tration testing, Slimstock now pays a fraction of that fee for broader and deeper testing done on a far more regular basis.

Total Coverage of 500 API Endpoints, at a Fraction of the Cost

After just a week of onboarding, APIsec was in place and working with more efficiency than a manual penetration test, and for a lesser cost than it takes to hire an API security expert.

The APIsec team was incredible to work with, they stepped in as partners and integrated and drove the implementation of the solution into our process. We were shocked at the process, speed, efficiency, and the focus on our success the APIsec team had for our challenges.
- Daan Majoor - CTO