The Levo team brings to you significant advancements this month to ensure robust security across your entire API ecosystem.
We’ve introduced an entirely different testing approach using API traces, BOLA support for Testing with API traces, and numerous reporting capabilities for Engineering and Security Leaders.
API Security Testing constitutes less than 4% of total testing efforts pre-production.
To help enterprises focus more on the Security Testing of APIs we expanded our testing methodologies to include testing through traces in addition to Test User payload testing.
In response to our customers' massive adoption of this approach, we are now fortifying it with all test cases available in the payload approach.
One of which is the OWASP API Security Guideline No. 1- Broken Object Level Authorization. And it is the first guideline for a reason, its prevalence and ease of exploitability are so high that over 60% of the most publicly studied breaches of 2023 could be attributed directly to BOLA.
Levo customers can now test APIs across all environments to ensure that users have access only to their own resources and not others.
Have a look:
Now enterprise leaders can monitor testing coverage (category-wise) for every application!
Our mission at Levo is to ensure that none of your APIs are released into production environments without being thoroughly tested.
After simplifying API Security Testing of all these API endpoints for the DevSecOps team, we are now also providing Engineering & Security leaders with full visibility into the testing efforts.
This includes showing application-wise coverage, which is important for major enterprises that may have over 100 applications within their network, each with anywhere between 500-1000 API endpoints. You can view this information within our dashboard and also export the report for evaluation by engineering and security leaders.
The report includes test coverage for all endpoints and provides a percentage-wise quantification of both secure and vulnerable endpoints, allowing them to evaluate the security levels of all APIs at once.
Have a look:
Simply authenticating your APIs is not enough!
While broken, missing, or weak authentication is a major cause of successful breaches, there are many other attack vectors to protect your APIs from.
94% of API exploits occur against authenticated APIs so you can’t merely rely on authentication to protect APIs.
Our new filter can take you directly to all authenticated but untested endpoints ensuring prompt and rigorous testing across a dozen categories before they go live.
Have a look:
Our instrumentation abilities aren’t a mass favorite just because they capture traffic at the kernel level but also due to the customization and flexibility they offer.
Much of this comes from the configuration settings available for the satellite and sensor within each environment.
So customers can control the traffic capturing and ensure that only relevant data is captured and processed.
While initially configuration within each environment had to be set independently and manually, you can now copy-paste them across environments with similar data capture requirements.
Have a look:
Finding vulnerabilities through rigorous testing is important but even more important is the prompt remediation of these vulnerabilities.
Something that can only take place if the vulnerability is mapped to the right developer and API as well as communicated to the right stakeholders.
The former is provided with Kubernetes metadata attribution, while our Splunk, Slack, and Teams integrations handle the latter. Some details are only accessible within our dashboard, but not all members of the DevSecOps teams can log in due to team size constraints.
And now with our shareable vulnerability reports they don’t need to. Daily, quarterly, and monthly vulnerability reports can be downloaded and scheduled to be exported in PDF and CSV formats!
Have a look:
Maximize the value of our discovery with this feature release!
Through our discovery, we have often found 90% more APIs for our customers than what they were originally aware of.
And this discovery without surrounding business context is of little use. Hence our discovery process uncovered several of the following metrics:
1. Authenticated endpoints
2. Unauthenticated endpoints
3. Sensitive data handling
4. API Type (Internal/External/Third-party)
5. Unauthenticated endpoints handling sensitive data
Adding to this list, customers will now also see all Authentication schemes used for each and every authenticated endpoint. And be able to filter endpoints pertaining to a specific Auth scheme (Bearer authentication/MFA/Token-based).
With this added context you can now strengthen authentication mechanisms for external APIs or APIs handling sensitive data. Authentication testing will also be significantly simplified.
Check it out:
Curious about what these features could transform your API Security initiatives?
Book a demo through this link