Upvest Highlights the Value of Pre-Production API Security Testing

Upvest partners with APIsec to secure their investment API.
Published: 
February 9, 2024
Read Time:
5 minutes

The Business Impact:

Sebastien Jeanquier

Sebastien Jeanquier

Chief Security Officer

"It was very important for me that we weren't just scratching the surface of security by trying to throw a dumb scanner at a bunch of endpoints and failing in a bunch of cases because it's not able to follow the business logic of different paths. With APIsec, Upvest has both the depth and the breadth of testing on the basis of a variety of logic within the API itself.”

About Upvest

Founded in 2017, Upvest enables businesses to build investment experiences for their end users – seamless, secure, and across international borders. Upvest’s single Investment API and digital infrastructure streamline the whole process, letting their customers focus on their core business.

The Challenge 

  • Daily API updates under an agile development model
  • Continuous testing of hundreds of API endpoints
  • Complex and layered business logic models.

Upvest has built a thriving fintech on their Investment API and supporting infrastructure. Upvest’s API sits in front of sensitive customer and end-user personal identifiable information (PII) making “security first” a critical element of the Upvest development methodology. 

Sebastien Jeanquier, Upvest’s Chief Security Officer, worked alongside Upvest’s technology leaders to define and implement the security practices needed for a Secure Software Development Lifecycle (SDLC). API security is a critical aspect of the SDLC, and Jeanquier’s unique background attuned him to the requirements and challenges associated with creating a strong API security program at Upvest. 

Upvest’s API evolves daily under an agile development model, requiring continuous testing of dozens of API endpoints leveraging complex and layered business logic models. Jeanquier has a long career in cybersecurity and served as head of penetration testing advisory and services to top-tier global clients across multiple industries including Financial Services. Based on his offensive security expertise, Jeanquier knew that achieving the breadth and depth of testing necessary to expose vulnerabilities at the speed of their development team was not possible with point-in-time human penetration tests.

The Solution

Unlike other pen testing solutions on the market, APIsec was the only solution purpose-built for automated API security testing. With APIsec, the Upvest security team found the technology they needed to automate penetration tests for their API against a broad range of security vulnerabilities. 

The APISec solution runs every day against the latest build of Upvest’s API, ensuring that known security vulnerabilities can be flagged and addressed before they impact their customers’ use of the API. The real-time updates on risks and issues have been vital in maintaining the security of Upvest’s services.  

The Results

Coverage

It was very important for me that we weren't just scratching the surface of security by trying to throw a dumb scanner at a bunch of endpoints and failing in a bunch of cases because it's not able to follow the business logic of different paths. With APIsec, Upvest has both the depth and breadth of testing on the basis of a variety of logic within the API itself."

Responsiveness

"As with any API security testing, some portion is going to be unique to each client’s technical environment and the business logic of the API itself. We were thrilled with APIsec’s ability to auto-discover and build the majority of our test cases based upon our rigorous API documentation, and the solution’s flexibility to allow us to further refine and customize our test scenarios over time.”

Speed to Value

"One unique aspect of Upvest is our approach to secure authentication within our API that requires HTTP signing of every request. The majority of scanners simply can not accommodate our complex authentication model. APIsec was able to work with our team to have the solution running and improving our security posture within the first week."