How Halodoc Automates API Security Testing 12X Faster and Better

Get PDF Version
Table of contents
Schedule a call with our experts
SHARE

About Halodoc

Halodoc is pioneering a digital health ecosystem with a mission to simplify access to healthcare by addressing users' pain points for accessible and reliable healthcare services. The company is also committed to promoting wellness by providing comprehensive health solutions, from preventive to curative approaches, all within a single application

"Trying other tools, we got so many false positives that we couldn’t handle all the findings. We had to centralize vulnerabilities and see easily and clearly the real security issues and fix them"

Adithya Amarnath Application Security Engineer

Given the nature of customer data in Halodoc’s health application, their commitment to security is paramount. Their journey into API security testing began with an internal push to educate teams and instill a secure coding mindset across departments. Recognizing the potential of leveraging QA teams for API security testing, they sought a solution, especially crucial after discovering a critical vulnerability in their flagship product.We interviewed Dody Alfian Rosidin, Engineering Manager of Information Security, and Adithya Amarnath, Application Security Engineer, about their unique API security challenges.

The Challenge

The team was looking for a tool that would be very developer-oriented and could fit into QA teams and development teams workflows, without compromising on their work.

The Halodoc Security team is responsible for all the product security domains such as Application Security, Cloud Security, DevSecOps and Security Operations.

As part of the team’s strategy, automation is key to streamline security to keep the team lean, as the ratio is 1:40 between security professionals and developers! While looking to find the balance between tools acquisition and internal efficiency, the team wanted to overcome the following challenges:

Manual Testing was Time-Consuming, Seldom Inaccurate, and Quickly Outdated

The team was spending a lot of time on manual testing, making it hard to find vulnerabilities in advance. It took the team a day to complete a test, and a full quarter to complete the comprehensive testing on ~300 APIs.

“When it comes to tools, we found that traditional DAST are not focused on API issues and will produce a high rate of false positive issues that will slowing down the CI/CD pipeline.”

Dody Alfian Rosidin Engineering Manager of Information Security

The amount of issues found was unmanageable

The team was unable to cope with the large amounts of findings and struggled to prioritize effectively. Running a head-to-head comparison, they found that a commonly used DAST solution detected thousands of API issues, posing difficulties in managing, prioritizing and resolving them properly. Furthermore, given the nature of DAST that produced a high rate of false positive findings, it was unlikely that the developer would address those issues.

DAST solutions are not focused on API issues and slowing down the CI/CD process

The team found that commonly used security solutions were not focused on API Security, therefore provided inaccurate or incomplete results.Additionally, traditional DAST tools were slowing down the CI/CD pipeline, making DAST not fit to the shift-left approach.

When checking against the traditional DAST tool, the solution was limited and took a lot of time to run and provide findings. Based on Halodoc’s experience, it was also not focused on the API problem, yielding many inaccurate results.

Success story

How Halodoc Automates API Security Testing 12X Faster and Better

About Halodoc

Halodoc is pioneering a digital health ecosystem with a mission to simplify access to healthcare by addressing users' pain points for accessible and reliable healthcare services. The company is also committed to promoting wellness by providing comprehensive health solutions, from preventive to curative approaches, all within a single application

"Trying other tools, we got so many false positives that we couldn’t handle all the findings. We had to centralize vulnerabilities and see easily and clearly the real security issues and fix them"

Adithya Amarnath Application Security Engineer

Given the nature of customer data in Halodoc’s health application, their commitment to security is paramount. Their journey into API security testing began with an internal push to educate teams and instill a secure coding mindset across departments. Recognizing the potential of leveraging QA teams for API security testing, they sought a solution, especially crucial after discovering a critical vulnerability in their flagship product.We interviewed Dody Alfian Rosidin, Engineering Manager of Information Security, and Adithya Amarnath, Application Security Engineer, about their unique API security challenges.

The Challenge

The team was looking for a tool that would be very developer-oriented and could fit into QA teams and development teams workflows, without compromising on their work.

The Halodoc Security team is responsible for all the product security domains such as Application Security, Cloud Security, DevSecOps and Security Operations.

As part of the team’s strategy, automation is key to streamline security to keep the team lean, as the ratio is 1:40 between security professionals and developers! While looking to find the balance between tools acquisition and internal efficiency, the team wanted to overcome the following challenges:

Manual Testing was Time-Consuming, Seldom Inaccurate, and Quickly Outdated

The team was spending a lot of time on manual testing, making it hard to find vulnerabilities in advance. It took the team a day to complete a test, and a full quarter to complete the comprehensive testing on ~300 APIs.

“When it comes to tools, we found that traditional DAST are not focused on API issues and will produce a high rate of false positive issues that will slowing down the CI/CD pipeline.”

Dody Alfian Rosidin Engineering Manager of Information Security

The amount of issues found was unmanageable

The team was unable to cope with the large amounts of findings and struggled to prioritize effectively. Running a head-to-head comparison, they found that a commonly used DAST solution detected thousands of API issues, posing difficulties in managing, prioritizing and resolving them properly. Furthermore, given the nature of DAST that produced a high rate of false positive findings, it was unlikely that the developer would address those issues.

DAST solutions are not focused on API issues and slowing down the CI/CD process

The team found that commonly used security solutions were not focused on API Security, therefore provided inaccurate or incomplete results.Additionally, traditional DAST tools were slowing down the CI/CD pipeline, making DAST not fit to the shift-left approach.

When checking against the traditional DAST tool, the solution was limited and took a lot of time to run and provide findings. Based on Halodoc’s experience, it was also not focused on the API problem, yielding many inaccurate results.

Unlock Full Document

Want to learn more about Pynt’s secret sauce?