How a leading public Fintech Company automatically discovered and tested their APIs with Levo
Fintech regains development and deployment agility with our discovery & documentation offerings
Executive Excerpt:
“By many accounts, Shift Left is the most efficient way of implementing security since all other approaches are usually more expensive and disruptive.
Levo allows embedding API discovery and Security testing in the SDLC process at pre-production stages, which reduces the risks of exploits by bad actors and makes remediation more cost-efficient.”
This Fintech giant was founded with the vision of helping small and medium-sized businesses accept card payments electronically. Over the last decade, it has emerged as a conglomerate democratizing financial services, empowering over 56 million users and 4 million businesses.
They needed to solve for visibility into their API Sprawl so they could reduce the attack surface area. One important task was identifying APIs that hadn’t been documented, documenting them, and testing them using dynamic scanners. Leaving them as is could compromise the enterprise's security posture.
To address all these concerns, Oleg Gryb led the adoption of Levo’s end-to-end SaaS platform.
Challenge:
- API Drift due to swift product releases, integrations, and acquisitions
- Over time, some APIs became poorly supported or lacked complete documentation
- Inadequate documentation in dev and later stages as APIs are never updated.
- Testing APIs before they go live and subsequently scaling the assessments across enterprise applications
- Finding actionable insights amid a large amount of data and false positives generated by traditional security tools
What was achieved:
- Automated API discovery with eBPF sensors, uncovering schema and exporting it to OpenAPI spec
- Seamless integration of API Discovery and API testing across 200+ applications (both internal and external)
- Easy integration with Cloudflare CDN through its workers
- The first time a comprehensive API discovery mechanism was implemented in the Kubernetes cluster
- Integration of Discovery and Automated Security Testing was successfully implemented in the development environment
Before Levo: Security Implementations were hindered due to incomplete API Inventory.
1. API Drift: A Persistent Challenge in the Fintech Industry
The integration of APIs into enterprise applications is accelerating across all sectors. However, the pace is even more accelerated in the Fintech startups, where new features and integrations are rolled out monthly, if not weekly, to stay competitive.
This particular Fintech company had also expanded its operations by acquiring several startups. These were then integrated into its native platform via APIs, significantly increasing the total number of APIs. In addition to third-party integrations, they also had legacy APIs and lacked proper documentation.
While the DevSecOps team already had their custom APIs documented, integrating 3rd party ones became difficult to do manually.
The result is API drift, leaving their Security team in the dark.
2. APIs: Undocumented and Therefore Untested
The API sprawl led to another issue for the Fintech company: not all APIs were properly documented and supported.
Driven by their mission to democratize payments across platforms, methods, and segments, their development teams have built numerous functionalities using microservices and externally facing APIs like REST, gRPC, and GraphQL.
These APIs were diverse and scattered across Development, Staging, and production environments and servers, implemented in various languages and frameworks.
These factors posed significant barriers to discovering every API and API endpoint. Consequently, the absence of discovery and documentation made any attempts to secure and test the APIs ineffective.
3. Expanded Attack Surface for Malicious Exploits
Just because Fintech hadn’t discovered all its APIs and endpoints, that didn’t mean hackers wouldn’t.
Most FinTechs have many external-facing APIs, and a single unauthenticated or poorly authenticated API can cause a data breach or fund theft.
Even though traditional WAF, SAST, and DAST primarily focus on detecting and scanning vulnerabilities at the application layer (Presentation layer - UI), they overlook the underlying APIs.
APIs operate beneath the application layer and serve as the backbone of any application.
4. Inability of Existing Vendors to Adapt to Custom Environments
Operating in the Fintech sector, the enterprise’s environment included unique configurations of servers, databases, applications, and APIs, as well as custom code, proprietary technologies, or unconventional use of standard technologies.
For an API security vendor to secure Fintech’s APIs successfully, it would need to understand all these elements and how they interact to deploy its solution successfully.
For the solution to detect and test APIs successfully, it would need to understand them at the most granular level.
These details encompass API specifications, parameters, payloads, and authentication and authorization (AuthN & AuthZ) schemes.
However, most available vendors could not detect APIs scattered across networks or detect them with such granularity.
Want to know how this Fintech overcame these hurdles with Levo? Go through the attached PDF now!