EstateSpace Case Study

EstateSpace Integrates APIsec to Secure APIs and Save Costs

EstateSpace is a leading software developer for high net worth individuals that seek to maintain, protect and maximize the value of their most prized assets. EstateSpace supports streamlining the financial management of their assets in the same way brokers have control over the stocks we own. The protection of the APIs that provide sensitive customer-specific data to many different services providers who aid in the care and safeguarding of assets is of paramount importance to EstateSpace. This is a data-sharing challenge with sensitive information including but not limited to asset description, asset appraisals, service operating procedures, location exchanged through APIs developed for web and mobile clients.

Challenge

EstateSpace started with a small team of developers and third parties that collaborated to create a solution to manage the assets. With a small team and the sensitivity of the data being of paramount importance, the EstateSpace team was faced with a decision; invest more in the development and testing of the APIs, or use a 3rd party to regularly validate the APIs for security.

“A further challenge of identifying potential security gaps is to not disrupt the development and test flow of the engineers. This means that the tooling needed to play within the existing DevSecOps infrastructure.” Matt Jenks, CTO/CSO

Most companies today neglect security testing, believing that their APIs will not garner the interest of hackers, relying on the web application firewalls for protection against all major attacks. It is a difficult problem, as business leaders rely on fast quick releases but the complexity of attacks today requires more intensive API security testing and current validation of business logic and attribute-based access control. In the case of EstateSpace they must ensure that a client can not see other clients’ data, nor can a service provider see any more than the client’s data that they are allowed. All while delivering on-demand with precision.

For EstateSpace, they required continuous security coverage with more secure APIs at the lowest cost possible with each new version of their application.

Solution

APIsec Automated API risk discover with integrated DevSecOps.

The security team brought APIsec into EstateSpace, but they knew they needed to get the developers on board, they needed to make the solution easy to consume, without causing friction with the existing development processes or tools.

APIsec began with an automated API risk discovery, with the Swagger definition file. Consuming this definition, the solution built the API feature map automatically, all the way to the business logic layer. Then the BOTs are unleashed to build custom security attack vector creation to uncover all the business logic including RBAC, ABAC, Application DoS attacks and injection flaws that hackers could use.

APIsec was first introduced into the staging environment, scanning prior to the EstateSpace application would go live to find critical vulnerabilities. Once the categories were enabled the AI-based matching and categorization process began. The attack vectors were injected in, the AI-driven exploit reporting and remediation engine began to highlight the most critical issues and suggestions on how to solve.

As the security team saw the issues, they wanted to bring engineering directly into the process. After demonstrating the value of the system and early detection to Engineering the decision was made to integrate directly into the defect management system at EstateSpace. This was taken one step further to tie the execution of the APIsec system directly into the CI/CD environment allowing for a shift left execution of the APIsec solution and also a shift right by including production into the DevSecOps journey to be brought deeply into the security validation of the solution.

APIsec had the ability to provide very rich Information on each API vulnerability that was uncovered, resulting in less time by developers to understand the issues, allowing for their precious time to be focused more on fixing issues and enhancements.

The team at EstateSpace was able to rely on APIsec for all of their API validation requirements, due to the product’s ability to execute validated request and response with an AI-driven Matching and Categorization engine. As the development team changes the API as needed, the APIsec solution automatically discovers the added API features, rebuilds the API feature map and then re-launches the BOTs to create new attack vectors. EstateSpace achieved a highly secure API-First development with 1/10 the cost of less effective approaches.

“With APIsec as a partner, our privilege escalation testing was put together in under a month, resulting in a great return on investment as the total cost is well below the cost of a single security test engineer.” Derek Showerman, CMO

Key Benefits

Conclusions

APIsec is able to bring API security to EstateSpace at a fraction of the cost of manual methods, bringing in coverage and protections at the speed of their development. To learn more about how APIsec can add security to your API by default and allow your precious resources to be focused on developing faster.