Case Study

How Escape Enabled Deeper Business Logic Testing for Arkose Labs

Alexandra Charikova, Sanjana Iyer

3 min read
How Escape Enabled Deeper Business Logic Testing for Arkose Labs

Arkose Labs is a global cybersecurity company that specializes in account security, including bot management, device ID, anti-phishing and email intelligence. Its unified platform helps the world’s biggest enterprises across industries, including banking, gaming, e-commerce and social media, protect user accounts and digital ecosystems from malicious automation, credential stuffing and other types of online scams and abuse while ensuring legitimate consumers have a safe and seamless experience.

Arkose Labs is a security company that has a deep commitment to and culture that revolves around security and compliance. Given the critical nature of its services, it is vital that Arkose Labs has airtight API security. Not only is it vital, but its enterprise partners require it to have comprehensive dynamic security testing. The company regularly assesses its needs against available solutions in the marketplace. During the latest evaluation, Arkose Labs made the switch to Escape. So how did Escape meet and exceed expectations for Arkose Labs?

Use Cases

  1. Deeper business logic testing 
  2. Full GraphQL APIs support by Escape DAST
  3. Automated compliance reporting for auditing and customers

Arkose Labs chose Escape DAST to run business logic scans on their GraphQL APIs

The Problem

“APIs are the building blocks behind our main product. While most DAST scanners on the market are built for Web Applications, Escape DAST is purpose-built to protect APIs on top of Web Applications.” - Michael Bourgault, Senior Security Architect, Arkose Labs

Arkose Labs offers their customers what it calls an ‘enforcement challenge’ API that shields its customers’ login and registration flows from malicious and anomalous actors. It is essential to Arkose Labs and its customers that these APIs have absolutely no exploitable weaknesses. 

For instance, Arkose Labs uses very modern GraphQL APIs and wanted to work with a vendor that also was at the cutting edge in protecting these next-generation query interfaces. Escape proved to be a game-changer. Its dynamic scanner with GraphQL support enabled the Arkose Labs security team to operate at even higher levels of efficiency and effectiveness.

Crucially, Arkose Labs’ enterprise partners require it to have comprehensive dynamic application security testing.

“There's just a certain point where you need to get more in-depth to get value.”,  Michael Bourgault, Senior Security Architect, Arkose Labs
💡
Key problems included:
1. Need for cutting-edge GraphQL support
2. Need for even more custom and comprehensive dynamic security testing to uncover and pre-empt potential vulnerabilities

The Solution

"The value-to-time ratio is just 100% there.” - Michael Bourgault, Senior Security Architect, Arkose Labs

Upon implementing Escape, Arkose Labs saw immediate value:

1. GraphQL and API-native automated DAST scanning

“As part of our security procurement process, we are always evaluating our partners. We like to evaluate new solutions, and pivot when our needs change or when our partners' focus changes.” - Michael Bourgault, Senior Security Architect, Arkose Labs

Arkose Labs appreciated Escape’s fast time-to-value, helping the team to continue to operate at a very high level. And with compliance reports generated in one click, it was able to share its compliance and security posture with customers, auditors and any stakeholders instantly. 

2. Deeper business logic testing

Testing for business logic is vital to many companies in the security industry to ensure there are no exploitable vulnerabilities. Using Escape’s proprietary AI-based DAST algorithm, Arkose Labs is able to continue to test for complex vulnerabilities to ensure no vulnerabilities reach production unnoticed.

And so what further drew Arkose Labs to Escape was the ability to “write a custom test that looks for a specific business logic issue that's very native to our application or our API.” Escape’s custom rules are very simple to write using YAML syntax, and also require zero maintenance as they automatically adapt to the evolution of your existing APIs and to your new APIs.

Why Escape stood out to Arkose Labs

Escape stood out to Arkose Labs for 3 primary reasons:

  1. Native GraphQL security testing: Escape was the only DAST Arkose Labs found to fully support GraphQL security testing and effectively scan their entire attack surface.
  2. Business logic testing, that is also native to APIs: Escape’s in-house AI-based algorithm allows Arkose Labs to continue to uncover critical vulnerabilities.
  3. Instant comprehensive compliance reporting: Escape provides full reporting capabilities, including dashboards, Pentest PDF exports, CSV exports, and developer-friendly exports, all in one click.

Thanks to Escape, Arkose Labs continues to operate with high levels of confidence in the security of their APIs, with the insights and automation to keep reducing risk over time.

Detect business logic flaws in GraphQL with confidence

See how Escape DAST can help your team detect business logic vulnerabilities and provide comprehensive compliance reporting

Get a demo with our product expert

Discover other feedback from Escape's customers below :