EstateSpace: Cost-effectively Securing Highly Sensitive Data
The Business Impact:
Significant Cost Savings for Security
~$100,000 less expensive than human pen tester
Security at the Speed of Deployment
Continuous testing of 1500+ attack scenarios against every release/change, multiple times per day
High Quality Testing
Deep testing across 150+ APIs for complex test categories incl. business logic flaws, RBAC, ABAC, Application DoS attacks, & injection flaws
Matt Jenks
.webp){kind=small}
“A further challenge of identifying potential security gaps is to not disrupt the development and test flow of the engineers. This means that the tooling needed to play within the existing DevSecOps infrastructure.”
About EstateSpace
Company: EstateSpace (a brand of Griffin Global)
Founded: 2017
Industry: Asset Management
Vission: to transform private asset management through seamless integration of purpose-built technology, fostering unmatched data integrity and transparency, enabling experts to excel as never before.
EstateSpace provides asset management software designed to streamline estate management for wealth and estate managers. As the application grew in popularity, ensuring the security of highly sensitive data became a top priority.
Business Challenge: API Security Without a Security Team
EstateSpace faced several challenges as they sought to secure their APIs:
- Managing high-net-worth customers' concerns about data security.
- Operating without an in-house security team.
- High costs and limited coverage of manual penetration testing.
- Avoiding disruption to development workflows.
Key Challenges:
- Protecting sensitive data without a dedicated security team.
- High costs and limited effectiveness of manual penetration tests.
- Ensuring security measures did not slow down development processes.
The Solution: Automatic Coverage of Over 150 API Endpoints
EstateSpace partnered with APIsec to integrate automated and continuous API security testing into their development pipeline. APIsec provided comprehensive security coverage without disrupting existing workflows.
Key Considerations
- Initial API risk discovery scanning was completed in just 24 hours.
- Seamless integration into the development pipeline.
- Continuous testing and reporting on over 150 API endpoints using 1,500+ playbooks.
- Automatic detection and scanning for new vulnerabilities as developers update the application.
APIsec’s solution eliminated the need for manual security checks, enabling developers to focus on building and enhancing the application while ensuring robust security.
The Business Impact: Tangible API Security, Tangible ROI
API Security Coverage:
- Number of APIs covered: 150+
- Number of playbooks generated: 1,500+
- Frequency of automated tests: Continuous
Cost Savings:
- Reduction in manual pen-testing costs: 70%
- Annual savings: Significant compared to hiring a security test engineer
Vulnerability Detection:
- Number of vulnerabilities detected and remediated: 200+ in the first month
- Types of vulnerabilities detected: Business logic flaws, RBAC, ABAC, Application DoS attacks, injection flaws
Deployment Speed:
- Time to integrate APIsec: <1 week
- Initial API risk discovery scanning time: 24 hours
Operational Efficiency:
- Reduction in security-related disruptions: 50%
- Number of actionable reports generated: 150+ per month
Developer Productivity:
- Time saved on security testing: 40% reduction in manual efforts
- Reduction in developer security support requests: 60%
Compliance:
- Compliance standards maintained: Industry-specific standards (e.g., GDPR, CCPA, SOC II)
Incident Response Improvement:
- Reduction in mean time to detect (MTTD) and mean time to respond (MTTR): 50%
Comprehensive and Continuous Testing
“Through the use of playbooks each designed for a particular vulnerability type, APIsec was able to quickly generate approximately 1500 playbooks against over 150 API endpoints, testing thousands of potential vulnerabilities.”
— Matt Jenks, CTO/CSO, EstateSpace
Cost-Effective Security
“With APIsec as a partner, our privilege escalation testing was put together in under a month, resulting in a great return on investment as the total cost is well below the cost of a single security test engineer.”
— Matt Jenks, CTO/CSO, EstateSpace
Proactive Security Integration
“We found APIsec to be a great partner to work with overall, but especially when it came to our DevSecOps tooling. This provided developers with all the information needed to debug and identify the source of the defect, resulting in faster closure rates for privilege escalation-related defects.”
— Matt Jenks, CTO/CSO, EstateSpace
Looking Ahead: Sustaining Security Excellence
EstateSpace is committed to maintaining and enhancing its API security practices by focusing on the following:
- Expanding Testing Coverage: Broadening the scope of API security tests to cover new functionalities and services.
- Enhancing Automation: Increasing automation in security processes to reduce manual intervention and accelerate response times.
- Continuous Training: Investing in ongoing training for development and security teams to stay updated with the latest security practices and threats.
- Collaborating with APIsec: Leveraging new features and updates from APIsec to enhance their security posture.
By prioritizing these areas, EstateSpace aims to maintain robust protection of their APIs, ensuring the highest standards of security and reliability for their customers.
