Case Study: How Lightspeed ensures full security compliance with Escape
Lightspeed, a technology partner to more than 160,000 global retail and hospitality businesses, has recently transitioned to a centralized payments model and adopted GraphQL APIs as a cornerstone of its operations. GraphQL allowed Lightspeed to improve both efficiency and flexibility in data retrieval, resulting in better overall system performance. However, this adoption of GraphQL required the implementation of new robust security measures.
Use cases
- Continuous APIs discovery
- Simplified compliance management
- Getting insights for impactful & developer-friendly remediation
Lightspeed chose Escape to get complete security observability, achieve compliance with worldwide security standards, and help developers fix issues quickly.
The problem
When Lightspeed reached out to Escape, they faced a series of critical challenges:
- Stringent compliance requirements: Lightspeed is based in Canada but, serving a global customer base, must adhere to both PCI-DSS (Payment Card Industry Data Security Standard) and EU compliance requirements like GDPR (General Data Protection Regulation). Non-compliance with these regulations can carry severe penalties.
- GraphQL security blind spot: The adoption of GraphQL created a significant blind spot for Lightspeed's security team. Their existing security solution provider lacked the necessary support for GraphQL, resulting in a lack of visibility into the security of GraphQL APIs and potential vulnerabilities and threats. As a result, Lightspeed needed to enhance their visibility into GraphQL endpoints.
- Complex product landscape: Lightspeed's diverse range of products needed a robust understanding of APIs in a business context and the creation of synergy between development and application security teams. While product diversity was a strength, it posed a challenge for security. To maintain robust security across this broad product spectrum, the company needed complete observability of all APIs and guidelines to facilitate secure development.
The solution
“Escape is an innovative tool, and its results and algorithms are truly impressive. It was able to find GraphQL vulnerabilities that their competitors haven't seen. It also provides me with extensive testing capabilities." - Pierre Charbel, Product Security Engineer, Lightspeed
Upon implementing Escape, Lightspeed saw immediate results on the security of its GraphQL APIs:
A comprehensive catalog of all exposed applications
After integrating Escape, Lightspeed achieved complete visibility into all exposed applications, including external shadow APIs. This catalog offered an extensive overview of the organization's application ecosystem, empowering Lightspeed to enhance control over its attack surface and make informed security decisions across numerous GraphQL APIs.
Compliance visibility
Escape greatly helped Lightspeed in meeting compliance requirements by providing a detailed view of the API security posture after scan covering various important security standards, including OWASP TOP 10, PCI-DSS, WASC, and CWE.
Thanks to Escape's thorough reporting, Lightspeed was able to maintain compliance with industry standards for GraphQL APIs and increase its focus on API security and data protection.
Feel free to explore a typical example of what Compliance Report Escape offers its customers below:
Developer-friendly remediation
Another significant advantage to the security team of implementing Escape was the ability to provide developers across different products with detailed code snippets. This integration led to fixing issues efficiently.
How Escape stood out for Lightspeed
Escape outperformed the competition for three primary reasons:
- Exceptional support for GraphQL, making it the preferred option for securing GraphQL APIs
- Escape facilitated compliance adherence by providing a detailed report on many standards like OWASP TOP 10, PCI-DSS, WASC, CWE for Lightspeed auditors
- Escape uses advanced algorithms to discover APIs and their vulnerabilities and report security issues. This makes it easier for Lightspeed to achieve complete security observability, and have visibility even into shadow APIs
Escape is also always there for Lightspeed, helping with daily tasks and fixing technical issues that may arise.
Future plans
With the success of the current collaboration, Lightspeed is looking forward to expanding its partnership with Escape and starting to cover its REST attack surface.
Start securing your APIs
Get a complete inventory of your APIs and start fixing your vulnerabilities with detailed solutions for developers.
🚀 Get a demoDiscover more Escape's application security case studies: