Buchi Reddy B
CEO and Founder at Levo
.svg)
I recently came across a talk by fellow Engineering Leader Dugald Morrow from Altassian, which was fascinating, inspiring, and relatable throughout.
Advocating for Developer Relations in an enterprise where applications are created and updated according to customer needs rather than developer convenience is a challenging task.
This task became even more complex when Morrow initiated an API Governance initiative to address API sprawl and inconsistent development practices.
Despite these challenges, the undertaking was successful. It resulted in fewer API-related incidents across their large suite of offerings, applications, and marketplace integrations—all without compromising developer autonomy and creativity.
You can learn more about this transformation process in the original video or blog. At its core, an internal platform automatically scans new APIs for conformance to set standards.
In this blog, I want to highlight a similar—and in some cases stronger—solution we've built to drive policy adherence and consistent development practices.
Read on to discover how our passive testing module saves you the time needed to build in-house solutions while enabling maximum customization through configuration flexibility.
I’ve spoken enough about pre-production API security testing, why it's necessary, and what it takes to be automated.
But it's just one side of the coin, so I want to talk to you today about passive API security testing.
This powerful, unobtrusive approach enhances your security posture without slowing down your development team.
Active security testing involves sending customized, precise payloads to APIs to simulate malicious attempts.
With passive testing, you're not making any API calls or sending payloads. You're simply observing.
The beauty of this approach is that it adds zero overhead to your systems, making it ideal for high-performance environments where uptime is non-negotiable.
We use sensor-powered monitoring to track API traffic across all environments, automatically flagging anything that deviates from defined policies.
These key practices are enabled by default for all our customers:
Our scanning is also capable of detecting:
Now, I’m not suggesting that passive testing can replace active testing—far from it.
Each approach serves a different purpose.
Active API security testing excels at detecting critical vulnerabilities like broken object-level authorization (BOLA) or flaws in business logic. These issues require deliberate probing and custom payloads to identify, and passive testing can’t find them on its own.
But combining both active and passive testing gives you much better coverage.
While passive testing catches the day-to-day anomalies and potential misconfigurations, active testing validates the exploitability of those alerts by simulating real-world attacks.
Apart from both active and passive security testing, we’ve also built in high configuration flexibility within the testing module.
While some metrics are universally important, we recognize that business needs vary significantly across companies and industries. Our work with champions from various sectors has shown how APIs are used in distinct ways to achieve business goals.
That’s why our platform offers flexible policy customization. You can define your own passive scanning rules using accessible languages like Python and YAML.
For example, a financial services firm might need to enforce strict token-based authentication across all endpoints, while a retail organization may prioritize securing customer data across multiple marketplaces.
Our customizable rules ensure that you’re able to discover and remediate inconsistencies and deviations based on your exact requirements.
We've made this flexibility possible by using Python and YAML for rule creation. These accessible languages allow your security engineers to easily define and enforce rules aligned with your organization's policies.
If preferred, our team can handle the custom scripting for you.
We've already developed hundreds of custom cases for various industries, including fintech and retail, so you don't have to start from scratch.
This saves time and resources, not just on policy enforcement but also by leveraging pre-built scenarios tailored to industry-specific use cases.
When dealing with hundreds or thousands of API endpoints, manual testing or monitoring of each one becomes impractical.
Our custom passive testing assures policy adherence through automatic monitoring that adapts to your evolving business context without disrupting dev workflows.
Book a demo through this link to see it live in action.
.png){kind=logo}
.svg)
.svg)
