Levo.ai API Security Platform Updates October 2024

November 7, 2024

Levo.ai API Security Platform Updates October 2024

API attack vectors are constantly evolving, yet a staggering 80% of attempted breaches still target the vulnerabilities outlined in the OWASP API Security Top 10. 

This necessitates thorough testing of every relevant endpoint for cases like BOLA (Broken Object Level AuthZ), BFLA (Broken Function Level AuthZ) which avoids horizontal AuthZ bypass and privilege escalation (confused deputy) issues. 

Recognizing this, the Levo team has dedicated its efforts to enhancing testing efficiency and speed, resulting in an impressive testing coverage of 75% across our customers' endpoints. 

With our latest features, we’re equipped to ensure that all endpoints are tested for known and persistent vulnerabilities, unaffected by any underlying infrastructure issues. 

As a result, we’re set to further minimize false positives—already at a record low—and empower security teams to safeguard their APIs with unmatched precision.

Effortless Vulnerability Tracking via JIRA Tickets

Elevate the impact of our security testing with our JIRA Integration!

Create JIRA tickets directly through our UI for seamless and timely resolution of findings.

Enterprise security engineers often spend a significant portion of their workweek on manual tasks like investigating, identifying, and reporting vulnerabilities.

This can lead to alert fatigue, potentially causing legitimate vulnerabilities to be overlooked and creating exploitable attack vectors in applications.

While finding vulnerabilities in pre-production is crucial for a shift-left strategy, ensuring their timely remediation is even more critical.

Our integration empowers Security Engineers to accomplish both tasks with minimal friction.

These findings not only surface with little to no configuration and resource consumption but can also be assigned to developers without endless meetings and emails.

Engineering Managers gain a comprehensive view of all security findings and can enforce accountability for their remediation.

Check it out:

Rerun Failed tests from UI

Rerun failed test runs directly from the UI!

Maximize test coverage and vulnerability detection without reconfiguration.

At Levo.ai, we've always prioritized adding new test cases, but ensuring maximum coverage and efficiency for existing ones is equally crucial.

Coverage can be hindered by technical disruptions in your infrastructure, such as network outages, misconfigurations, or non-whitelisted Levo test runners.

Our logs have always provided detailed descriptions of skipped or failed test runs.

Now, with this new feature, all failed tests are visible on a single dashboard, and rerunning them is just a click away.

After resolving underlying technical issues, you can run all failed tests without rerunning them individually. This eliminates the possibility of an endpoint going live while untested or undertested.

Check it out: 

Dedicated Application and Environment Instrumentation 

Instrument endpoints application by application and environment by environment!

Our instrumentation process has been known to be quick, efficient, and seamless.

The inventor and documentation is powered by a passive eBPF sensor, that can run at scale with just half a core CPU and 0.5GB of memory, keeping the costs super minimal at scale.

The satellite too is highly configurable and can be self-hosted or managed by us.

Both are capable of surfacing all endpoints through a single call.

But this is prone to disruptions as high-performance environments like those of our fintech customers who have upwards of 4000+ endpoints distributed across hundreds of applications.

Surfacing endpoints for each application and environment separately ensures a smoother, faster discovery process. 

Optimized test user nomination 

Maximize test coverage without compromising on privacy!

Nominate test users after reviewing available data i.e. runnable endpoints for each of them. Choose a single test user with maximum endpoints or a combination of test users to simulate real API calls.  

Since the very beginning, we’ve stressed the importance of using real data instead of arbitrary values for payload testing. As many critical vulnerabilities like BOLA go undetected with the latter. 

By mapping each API call to individual users, we can accurately derive user data without requiring our customers to manually configure anything. 

We recognize that customer data is sensitive and must be protected, which is why we only utilize user data from specific nominees, mostly integration test users, selected by enterprises.

This feature lets you choose user profiles that best fit your testing needs! 

Smart Error Code Detection 

No more false positives attributed to custom error codes!

Levo’s testing module now parses both standard HTTP statuses and custom error codes in string formats, eliminating unnecessary alerts and allowing security teams to focus on actual vulnerabilities. 

APIs frequently mask sensitive error codes with custom responses to avoid exposing security details that attackers could exploit. 

Standard HTTP error codes like 401 (Unauthorized) or 404 (Not Found) convey specific meanings, and revealing them can give potential attackers insights into system behavior or account validity. 

To prevent this, many APIs substitute these codes with general responses or custom strings that don’t reveal as much context. 

While this enhances security in production environments, it can create challenges during pre-production testing by triggering false positives that suggest vulnerabilities where none exist.

With this feature, we continue creating more efficient, effective, and actionable workflows for your Security Engineers. 

Real-Time Security Testing and Progress Tracking

Real-time testing visibility for each endpoint without waiting for setup!

Unlike traditional workflows that require a batch setup for all endpoints and force minutes-long waits for initial feedback, Levo’s approach initiates and displays progress for each endpoint test individually and immediately. 

Security and development teams can also gain immediate visibility into every endpoint test, starting just seconds after initiation. 

This unique, on-the-go configuration ensures that all test resources, configurations, and plans are built alongside the testing itself, so teams can stay informed without workflow interruptions. 

By providing real-time visibility into test coverage, your team can estimate completion times accurately and be confident that testing is progressing seamlessly from the very first second.

Environment Optimized API Discovery

Instrument API endpoints distinctively for each environment!

Our discovery module now allows teams to configure settings for every environment, ensuring accurate capturing, processing, and representation of important parameters like AuthN status, rate limiting, versioning, and error handling mechanisms. 

Without this, endpoints across all environments are discovered and cataloged to fit just production requirements. 

This level of adaptability not only minimizes false positives but also ensures that every environment is properly accounted for in the discovery process. 

Teams can focus on what matters most—securing their APIs—without worrying about misconfigurations or related frustrations.

Check it out: 

Curious about how these features could transform your API Security initiatives?

Book a demo through this link!

elliptical light

Flexibility for the Modern Enterprise

  • Runtime Agnostic
  • Cloud Agnostic
  • Programming Language Agnostic

Subscribe for experts insights on application security.

Oops! Something went wrong while submitting the form.