We're excited to officially announce Levo's Code-Based Instrumentation, a powerful feature that has been a game-changer for our customers over the past six months.
Since our inception, we’ve believed that security must be built into every aspect of applications, especially APIs.
By embedding security early, we help you avoid expensive and ineffective reactive measures later.
Our API Discovery, Documentation, and Pre-production Testing modules have enabled DevSecOps teams to identify and remediate API vulnerabilities from CI build stages all the way through to Pre-production environments.
Now, we’re extending this capability even further to the left—to the Design and Local Build stages, where APIs are written, providing you unparalleled API visibility right from the start.
The results are immediate and impactful. With simple integration into your code repositories, we can instantly discover your APIs and give you a comprehensive catalog.
Apart from being ready to test these APIs, you also discover the zombie APIs without missing any.
Have a look:
We’ve spoken enough about how API Visibility is foundational to API Security, especially for API Security Testing.
Without knowing what APIs exist, testing becomes ineffective—how can you secure what you can’t see?
That’s why visibility is foundational to your security strategy, ensuring that every API—whether internal, external, or third-party—is properly cataloged, documented, and prepared for testing.
While an accurate and comprehensive API inventory can solve many challenges, it is impossible to maintain manually, as confirmed by 75% of enterprises who were not confident about the accuracy of their API inventory.
Testing efforts supplemented through such incomplete inventories cover negligible percentages of your total APIs, leaving wide surface attacks exposed.
Levo’s discovery module addresses this by automatically discovering 2-5x more APIs than enterprises originally knew about.
We achieve this through a combination of instrumentation methods, with our code-based discovery serving as the latest addition to our agentless options.
Like all other agentless methods, this method too involves minimum time to get approved and set up.
Levo integrates seamlessly with source code management tools like GitHub and GitLab. With a single click, we can parse through dozens of repositories, instantly cataloging 100s of APIs.
While scanning APIs from source code might sound simple, supporting the vast array of programming languages and frameworks presents unique technical challenges.
For example, Java alone can support REST APIs via multiple frameworks like Springboot, Quarkus, and Dropwizard, each with its own intricacies. And Java is just one part of the equation—languages like Python, Node.js, and Golang each come with their own ecosystems, frameworks, and implementation patterns.
Effective automated discovery requires sophisticated parsing mechanisms that can interpret these varying frameworks and languages. As each framework manages API request/response structures, authentication flows, and error handling differently, complicating the discovery and security testing processes.
Levo’s platform has been engineered to handle these complexities by supporting several key programming languages and their associated frameworks through advanced parsing algorithms and context-aware analysis, and we are quickly adding more frameworks and languages.
Having an API inventory is a crucial step in understanding and securing your attack surface, but it’s only a part of the solution.
For true API security, compliance success, and testing automation, you need more than just an inventory—you need deep, actionable insights into your APIs’ behavior, functionality, and data payloads.
And this is where code-based instrumentation, though powerful for discovery, falls short.
While it can help you identify APIs, code alone isn’t sufficient to provide the full scope of critical parameters. For that, you need to look at actual API traffic.
Traffic-based instrumentation provides both complete API specifications (including 10-12 key parameters) and captures critical behavioral insights, such as how an API handles sensitive data, how is it authenticated, which roles & permissions are accessing a given piece of data, etc
This is why Levo combines both code-based and traffic-based instrumentation methods, to deliver comprehensive API security.
What makes our platform unique is how it intelligently merges these two methods.
Instead of treating these as separate entities, our platform not only detects an API but also gains insights into how it's functioning in live environments.
Moreover, this combination helps us uncover inactive APIs, such as zombie and shadow APIs—something that a lot of API security vendors cannot detect at all.
For instance, you might have health check endpoints or admin APIs embedded in your code that haven’t been called in months, indicating potential security risks. Or endpoints that were found in code but no traffic was found passing through them. Or, endpoints from old versions of some frameworks that have several CVEs.
By identifying these shadow and zombie APIs before malicious attackers, we help you mitigate security incidents. These neglected APIs provide an easy lateral movement into your servers and databases.
While code-based instrumentation gives us a broad inventory of APIs (assuming we support the language and framework), it doesn’t tell the full story.
Traffic-based instrumentation fills this gap, offering the needed documentation, AuthN details, and user data that are needed for automating API Security Testing at scale.
We recognize that there can be internal challenges and red tape in deploying traffic-based sensors in real-world environments. However, the payoff in terms of time, effort, and DevOps resources saved by automated testing and documentation is significant.
But if you instantly need an API Inventory list without going through any of it yet- you can start with Levo’s code-based instrumentation.
Book a demo through this link if you want to automatically discover, document, and test your APIs.
.png){kind=logo}
.svg)
.svg)
.svg)
