HR Software Innovator Secures Its APIs

Since 2015, HiBob has been on a mission to transform how organizations operate in the modern world of work. The innovative company is enabling that transformation and the future workplace with its HR platform, Bob. Bob wraps all the complexities of HR processes into a game-changing, user-friendly tool that benefits every employee across the business. Organizations that use Bob are able to accelerate hiring, retain the best talent, and elevate employee engagement. By providing such transformative capabilities, the company was able to exceed US$100 million in annual recurring revenue (ARR) less than three years after celebrating its US$10 million ARR milestone. When the company recognized the need to strengthen the security of API development and deployment, it found its solution in Akamai API Security.

Like many industry innovators, HiBob embraces a rapid development process grounded in APIs. This agile approach makes it possible to continually deliver new and updated features to its more than 3,500 customers. However, with nonstop changes happening across the company’s environment, security becomes more challenging. Recognizing the need to address this potential security gap, HiBob made its developers and DevOps teams as responsible for security as its security team.

Although that was an important step in elevating its security posture, HiBob also needed to support its security team, developers, and DevOps with better insight into the company’s API estate. As Tamir Ronen, Global CISO for HiBob, explains, businesses use APIs as the main technology to connect services and transmit data, but many organizations struggle to secure their APIs.

“API attacks are not pattern-based. As a result, web application firewalls (WAFs) provide few insights and limited security when it comes to the business logic at the heart of APIs. Plus, WAFs are not helpful when new business logic appears in a new process,” he says.

With sensitive customer data being transferred via its APIs, Ronen saw the need for a security solution designed to understand API business logic and data transfer. “A fast-paced company like ours requires better visibility into our APIs, and a way to understand how to make and deploy changes to business logic safely,” he continues.

Ronen found his solution in Akamai API Security. According to him, the most important feature is data encryption. “We can encrypt the data sent to Akamai Connected Cloud without risking data exposure to external parties, and API Security securely learns about API usage and business logic based on the hashed values of the data,” says Ronen.

He also appreciates the API discovery feature, which detects unprotected APIs and shows a frequently updated list of those APIs. “Discovery in a fast-paced environment is critical, as one mistake in the development process can create a breach should an API return a payload with data that shouldn't be there. The same goes for the shadow endpoints that can be potential conduits for risk that fly beneath our radar.”

Just as important is the behavioral analysis capability that detects threats and logic abuse across HiBob’s API estate, and triggers responses to mitigate them. “Behavioral analysis is critical to keep track of issues with APIs in our ever-changing environment,” Ronen explains.

Equally of value is the ability to take advantage of API Security ShadowHunt, a managed threat hunting service powered by Akamai's expert analysts skilled in API threat hunting.

After a simple deployment of API Security, HiBob saw value from day one. “The visibility into our API portfolio alone was amazing,” says Ronen.

In addition, behavioral analytics quickly proved beneficial. It’s important for HiBob to understand if something suspicious happens in business workflows. With API Security, the company was able to create a baseline of acceptable user actions. “We are automatically alerted to any action exceeding this baseline, prompting us to investigate. Not only do we know when to follow up on an issue, we have reduced the time to analyze API-related issues and events by 25% since using API Security,” he continues.

In addition, working hand in hand with Akamai’s threat hunting experts, Ronen and his team built an alert to be notified if someone bypasses the company’s WAF when an API call is made from a public API.

That’s not all. The Akamai solution helps the security and DevOps teams coalesce around a common language when it comes to API security on the network and endpoints. So, when the security team passes on details and stats from API Security about how a certain API is behaving in relation to endpoint usage and data flow, the development team can respond immediately. “Akamai API Security has helped us secure our important API estate while driving even more and better collaboration between our security and development teams,” Ronen concludes.

HiBob is on a mission to transform how organizations operate in the modern world of work with its HR platform Bob. Leading the way for the future workplace, Bob offers resilient, agile technology that wraps all the complexities of HR processes into a game-changing, user-friendly tool that touches every employee across the business.