Meet us at OWASP Global AppSec
Schedule a meeting.svg){kind=small}
Book a Demo
.svg)
35K+ Happy Users
Halodoc is pioneering a digital health ecosystem with a mission to simplify access to healthcare by addressing users' pain points for accessible and reliable healthcare services. The company is also committed to promoting wellness by providing comprehensive health solutions, from preventive to curative approaches, all within a single application
Given the nature of customer data in Halodoc’s health application, their commitment to security is paramount. Their journey into API security testing began with an internal push to educate teams and instill a secure coding mindset across departments. Recognizing the potential of leveraging QA teams for API security testing, they sought a solution, especially crucial after discovering a critical vulnerability in their flagship product.We interviewed Dody Alfian Rosidin, Engineering Manager of Information Security, and Adithya Amarnath, Application Security Engineer, about their unique API security challenges.
The team was looking for a tool that would be very developer-oriented and could fit into QA teams and development teams workflows, without compromising on their work.
The Halodoc Security team is responsible for all the product security domains such as Application Security, Cloud Security, DevSecOps and Security Operations.
As part of the team’s strategy, automation is key to streamline security to keep the team lean, as the ratio is 1:40 between security professionals and developers! While looking to find the balance between tools acquisition and internal efficiency, the team wanted to overcome the following challenges:
The team was spending a lot of time on manual testing, making it hard to find vulnerabilities in advance. It took the team a day to complete a test, and a full quarter to complete the comprehensive testing on ~300 APIs.
The team was unable to cope with the large amounts of findings and struggled to prioritize effectively. Running a head-to-head comparison, they found that a commonly used DAST solution detected thousands of API issues, posing difficulties in managing, prioritizing and resolving them properly. Furthermore, given the nature of DAST that produced a high rate of false positive findings, it was unlikely that the developer would address those issues.
The team found that commonly used security solutions were not focused on API Security, therefore provided inaccurate or incomplete results.Additionally, traditional DAST tools were slowing down the CI/CD pipeline, making DAST not fit to the shift-left approach.
When checking against the traditional DAST tool, the solution was limited and took a lot of time to run and provide findings. Based on Halodoc’s experience, it was also not focused on the API problem, yielding many inaccurate results.
Halodoc is pioneering a digital health ecosystem with a mission to simplify access to healthcare by addressing users' pain points for accessible and reliable healthcare services. The company is also committed to promoting wellness by providing comprehensive health solutions, from preventive to curative approaches, all within a single application
Given the nature of customer data in Halodoc’s health application, their commitment to security is paramount. Their journey into API security testing began with an internal push to educate teams and instill a secure coding mindset across departments. Recognizing the potential of leveraging QA teams for API security testing, they sought a solution, especially crucial after discovering a critical vulnerability in their flagship product.We interviewed Dody Alfian Rosidin, Engineering Manager of Information Security, and Adithya Amarnath, Application Security Engineer, about their unique API security challenges.
The team was looking for a tool that would be very developer-oriented and could fit into QA teams and development teams workflows, without compromising on their work.
The Halodoc Security team is responsible for all the product security domains such as Application Security, Cloud Security, DevSecOps and Security Operations.
As part of the team’s strategy, automation is key to streamline security to keep the team lean, as the ratio is 1:40 between security professionals and developers! While looking to find the balance between tools acquisition and internal efficiency, the team wanted to overcome the following challenges:
The team was spending a lot of time on manual testing, making it hard to find vulnerabilities in advance. It took the team a day to complete a test, and a full quarter to complete the comprehensive testing on ~300 APIs.
The team was unable to cope with the large amounts of findings and struggled to prioritize effectively. Running a head-to-head comparison, they found that a commonly used DAST solution detected thousands of API issues, posing difficulties in managing, prioritizing and resolving them properly. Furthermore, given the nature of DAST that produced a high rate of false positive findings, it was unlikely that the developer would address those issues.
The team found that commonly used security solutions were not focused on API Security, therefore provided inaccurate or incomplete results.Additionally, traditional DAST tools were slowing down the CI/CD pipeline, making DAST not fit to the shift-left approach.
When checking against the traditional DAST tool, the solution was limited and took a lot of time to run and provide findings. Based on Halodoc’s experience, it was also not focused on the API problem, yielding many inaccurate results.
