We shared today the news that Xolv has deployed Salt to protect the APIs at the heart of its healthcare applications. I always love interviewing our customers – I had extra fun talking with the team at Xolv, though, because it was my second time working with them (Xolv was a customer of my previous company, which provided security for containers and Kubernetes).
It’s no surprise a HealthTech company would lean into application security. And in many ways, the Xolv journey echoes that of so many of our customers.
“We’re building more applications all the time, they all run on APIs, and we had no idea how many APIs we have or how well they’re written,” explained Jason Weitzman, senior security engineer at Xolv.
Jason and his team looked at six different options for API security and quickly narrowed the list to three they wanted to evaluate. One simply couldn’t get up and running, and another required API documentation to apply security controls.
“That’s a non-starter for us. A huge driver for us to deploy API security is that we don’t know all our APIs in the first place, so any solution that depends on our inventory simply won’t work,” noted Jason.
Jason’s journey was like a lot of our customers’ in another important way – explaining to upper management why another security solution was needed in the first place.
“The hard part was getting them to understand the difference between this [Salt] and our WAF. We explained that Salt is the brains for our WAF – our WAF doesn't understand APIs, but Salt does. We had zero coverage on API security using just our WAF,” said Jason.
Jason’s not alone in this struggle to explain why WAFs can’t protect against API attacks. A lot of people haven’t had the chance yet to dig into how attacks change when bad actors target APIs specifically. Most classic application attacks rely on looking for a known vulnerability to exploit, like a SQL injection or cross-site scripting. Traditional defenses then rely on rules or signatures that block these known patterns.
API attacks are totally different. Since every API is unique, every API attack is unique, and bad actors have to poke and probe and try lots of different manipulations to find a business logic flaw in an API that they can exploit. To defend against this style attack, security tooling needs context over time so that it can correlate reconnaissance activity back to a single bad actor and block that attacker.
No WAF, no matter how feature rich, has the ability to understand context over time. WAFs allow or deny transactions one at a time. They cannot correlate what a given user did a minute ago, an hour ago, a day ago, much less weeks or months ago. But that’s how API attacks unfold, over many days and weeks, with lots of different manipulations.
The Salt architecture is fundamentally different, built on cloud-scale big data that hosts a baseline of all normal user and API activity. Salt then applies ML and AI to build context over time and correlate the activity that defines a bad actor’s reconnaissance efforts.
For Xolv, the immediate win came in having a complete inventory of APIs.
“I can go to the Salt dashboard and instantly see any new APIs, see if they expose sensitive data, and provide all that information on demand. If we’re asked for that info, by upper management or an auditor, we have it at our fingertips, and it’s dynamically updated all the time,” said Jason.
Xolv also appreciates the continuous runtime protection as well as the ability to identify where Xolv’s developers can amend their APIs to improve security.
“Salt provides detailed insights that we auto route to our dev teams, with details such as input validations that are missing or other constraints that should be applied. We get those insights before anyone can exploit those gaps in our APIs, and our team learns how to craft better APIs.”
The best part is, Jason has worked the Salt insights into Xolv’s existing stack and workflows.
“Everything integrates into our existing systems – our WAF, our AWS tools, and our Jira system for ticketing, so our team doesn’t need to go to the Salt dashboard to benefit from its insights.”
Jason doesn’t run a big team at Xolv – as tech forward and security focused as they are, they need platforms that are easy to deploy and run without much time investment. The case study makes clear how Xolv continues to be at the forefront of application security - it's been fun for me to chart the company's progress these past several years, and I can’t wait to see where the team goes next in this API security journey.
If you’d like to get a sneak peek at how your own API security journey could unfold with Salt, request a custom demo – we’ll get you full API discovery, attack prevention, and posture insights, all made easy, just like we’ve done for Jason and Xolv.
It’s extremely important to make sure your OAuth implementation is secure. The fix is just one line of code away. We sincerely hope the information shared in our blog post series will help prevent major online breaches and help web service owners better protect their customers and users.
We want to thank our customers, partners and friends for the calls and messages to our team showing your concern and support.