Seismic Case Study
Seismic Secures Customer Sales Data Access Via API Using APIsec
Seismic is the recognized leader in sales and marketing enablement, equipping global sales teams with the knowledge, messaging and automatically personalized content to be most effective for any buyer interaction. Founded in 2010, Seismic is headquartered in San Diego with additional offices in North America, Europe, and Australia.
In 2018, the Information Security Team at Seismic realized that their Engineers were adding extensive API support for their services to meet customer needs. Seismic Director of Information Security Tim Dzierzek and his team are responsible for the protection of confidential customer information, something that Seismic takes extremely seriously. They must be able to prioritize this while still performing their other duties. Therefore, any safeguards implemented must require low resources from the team while meeting the velocity of activities from the Engineering team.
The Seismic team’s first step was to use traditional web application security solutions, namely Dynamic Web Application Scanning tools and Vulnerability Scanners. However, it quickly became clear that those solutions were inadequate because they covered less than 10% of the API surface area. The Information Security team recognized that the challenge is really in the business logic of the API and this is unique to the application. They knew it would be difficult for generic solutions to solve this problem. The team needed to find a more effective and efficient solution.
“APIsec provided exceptional support to us throughout the on-boarding and configuration stages. Their capabilities got us testing our APIs for a broad range of vulnerabilities in a very short period of time. This allowed us to focus our valuable resources on working with our Engineering teams instead of building complex test cases for our APIs.” Tim Dzierzek, Director of Information Security
APIsec Automated API risk discovery with integrated DevSecOps.
When the InfoSec team brought APIsec into Seismic, they knew it had to be quick and not require handholding by engineering.
APIsec began with an automated API risk discovery, with the Swagger definition file. Consuming this definition, the solution built the API feature map automatically, all the way to the business logic layer. Then the BOTs are unleashed to build custom security attack vector creation to uncover all the business logic including RBAC, ABAC, Application DoS attacks and injection flaws that hackers could use.
APIsec was first introduced into the staging environment, scanning prior to when the Seismic applications would go live to find critical vulnerabilities. Once the categories were enabled, the AI-based matching and categorization process began. The attack vectors were injected in, the AI-driven exploit reporting, and remediation engine began to highlight the most critical issues and suggestions on how to solve.
“The APIsec team are great partners to work with on the journey of securing our APIs. Initially, we thought we’d integrate APIsec and take over the complete operation of it, but the team has been awesome to work with. They partner with us to continue to increase the coverage and security of the API.”
APIsec had the ability to provide rich information to the developers on every API vulnerability discovered related to the Authorization flaws, Application DoS exploit and Injection flaws. This resulted in less time to debug and remediate, allowing for their precious time to be focused on fixing issues and enhancements.
The team at Seismic was able to rely on APIsec for all of their API validation requirements, due to the product’s ability to execute validated request and response with an AI-driven Matching and Categorization engine. As the development team changes the API to meet continually increasing requirements, the APIsec solution automatically discovers the added API features, rebuilds the API feature map and then re-launches the BOTs to create new attack vectors.
“Our customers ask us what we are doing to protect their sensitive data on Seismic, and once they see what we have done with APIsec their confidence in us grows.”
- Shift left of InfoSec team enabling strong partnership with development team
- Business Logic Layer API Security testing and certification allows team to focus on building great products
- Resolves questions about data security through the API layer for their customers.