How Zluri automatically discovered and tested all its APIs

Growth stage startup accelerates deployment without compromising on security posture

Executive Summary: 

“Security can no longer be an afterthought right now. With the current influx of security incidents,  security must always be built into the product code and architecture. I recommend Levo to enterprises because they approach API security with a similar mindset. Their process begins with a comprehensive discovery of all API endpoints and then monitors them continuously. It is this observability that enables them to comprehensively test APIs for offensive and defensive scenarios across all SDLC stages.” 

At a glance: 

One of our earliest customers, Zluri, is helping 200+ customers across the globe to discover and control their SaaS stacks. Just as we at Levo are helping enterprises securely experience API adoption, Zluri is helping enterprises transition to SaaS through cost savings and streamlined access. 

‍

Being in the B2B Space and a security-forward company, our champion Chaithanya Yambari led the adoption of Levo. Currently being in the growth stage they wanted to avoid diverting developer hours to manual API management and instead deploy applications rapidly. This is precisely what has been achieved in the last year of our engagement allowing Zluri to stay put on their growth trajectory without worrying about API-related data breaches.

‍

What was achieved: 

In Dev:

1. 2763 endpoints were discovered across 383 applications, of which 79% were external-facing APIs.
2. Amongst them, a significant 15% were exposing sensitive data like PII, which is crucial to govern and protect. Yet some of them were found to be unauthenticated 
3. Finding such vulnerabilities early on helped the Dev team to remediate them and release secure applications easily. 

‍

A year with Levo: Security First mindset reinforced in the DevSec Team 

‍

1. Levo’s Discovery First Approach

Many vendors claim to detect and resolve security vulnerabilities without fully understanding their origin, particularly at the API level. Much like a doctor diagnosing a disease before treating it, security measures for APIs must begin with discovery and understanding.

Our API Security approach is based on the principle that "you cannot secure what you don't see." 

We were encouraged when our champion concurred with our belief, stating, “I liked Levo’s discovery-first approach because this way, they have actual data points on whether an application is secure. This method helped us direct our security efforts more effectively, yielding the best results. The discovery process is ongoing, thanks to Levo’s continuous discovery feature. We now clearly understand our applications' changes over the last year and how to remediate any vulnerabilities that arise with constant integrations."

‍

2. Zluri’s security-first mindset meets Levo’s automated testing

Our champion, Chaithanya, believes that to secure a platform fully, testing is needed not just once but at several points before release. This is because new vulnerabilities constantly emerge as code moves across the SDLC.

Zluri leadership recognized that legacy tools and approaches cannot comprehend dynamic APIs. They wanted to deploy an automated testing tool that would not drain developer bandwidth needed for business expansion.

Recognizing our strength in creating tests customized to each API endpoint, parameter, and potential vulnerabilities, Levo was implemented in dev environments along with other code testing tools (SAST and DAST). Over three dozen tests were generated for various scenarios, identifying two vulnerabilities that their developers promptly fixed.

Our champion attributes this testing prowess to our approach: “My favorite part about Levo is how they begin from discoverability, understanding, and observing APIs. Only then should we set up certain controls to monitor and test them. This is the core reason why they can automatically modify/generate custom tests so well no matter how complex the environment may be.” 

‍

3. Enabling DevSec Teams to do more in less time

As part of the CI/CD process, all code submitted is validated across several parameters, including API Security.

Levo’s implementation eliminated the need for the development team to manually test APIs, saving resources and providing peace of mind. Security professionals only have to monitor selected vulnerabilities instead of searching for threats everywhere. This ensures time is spent only on issues needing attention, and those issues are resolved immediately.

This approach not only saves precious man-hours but also fosters a deep security culture within the enterprise. Chaithanya states, “Here at Zluri, we deploy something once every two weeks. Levo's flexibility has made our lives easier. Developers see vulnerabilities upfront in real-time, understand what went wrong, and then fix them. This trains our engineering teams to be more security conscious.”

‍

4. Levo best of both-

While Shifting Left is a welcome trend among enterprises to combat increased rates of data breaches, it can have negative impacts if taken to the extreme.

Application and API behavior, sensitive data flows and weaker authentication details are only visible in runtime, and focusing too much on the left side of the SDLC can cause neglect of these runtime metrics. Static code scanning isn’t a replacement for runtime security tools.

No matter how extensive test frameworks might be, they can never encompass all the different cases experienced in runtime. That's why we at Levo provide visibility, monitoring, and testing across all stages of SDLC, including production. We help our customers solve for security holistically rather than on a piece-by-piece basis, as Chaithanya remarks: “It's always helpful to maintain a balance between monitoring your observability and ensuring early-stage testing. Levo is a great solution for enterprises seeking a holistic view of their APIs as it helps maintain a balance between the right and left side of the SDLC.”