Postman Uses Security to Engender Customer Trust
Postman has a technology platform that simplifies each step of the API lifecycle and streamlines collaboration so organizations can create better APIs, faster. The company started simply as a side project to solve a specific problem. Abhinav Asthana, Postman’s CEO and co-founder, set out to create a tool that would simplify the API testing process. As the tool’s usage quickly exploded, Abhinav recruited two of his former colleagues to help him create Postman, Inc. Their efforts have resulted in an API platform that delivers high productivity for developers, great quality for APIs, and airtight governance for organizations across the world.
Postman’s cloud environment today is all AWS but multi-cloud is a consideration. They build their applications as independent from the cloud platform as possible, for example, using Docker containers but not Amazon ECS.
Joshua Scott joined the company two years ago as the head of security and IT. He brought a wealth of experience in both areas to the quickly-growing startup. He currently has six primary teams under his purview, with responsibilities spanning everything from traditional IT to application security, product trust, and GRC. Of note is the product trust team, a hybrid development and solution engineering team that advises on and writes platform security features into the product to help improve the maturity of the SaaS platform.
“Demonstrating security to Postman’s customers is part of our value proposition. It’s a matter of trust,” says Scott. “In order to start earning customer trust, I formed the product trust function. Our customers have high expectations and it’s critical to us to make sure we maintain their trust. We launched a Trust Center to ensure that security is seen in an active light. My vision is to be the most trusted API platform backed by the most trusted organization.”
Agentless, feature-rich Orca leads the security stack
Scott had the opportunity to build his preferred security stack when he joined Postman. He learned about Orca Security and liked Orca’s agentless nature and its breadth of coverage.
“We decided to evaluate Orca and a couple of other tools in the cloud security space. Lacework was one of the contenders but it requires deployment of an agent,” says Scott. “It’s not a trivial exercise to install an agent to 1200 resources. It’s not something I want to tackle.”
Scott ruled out the security products that require an agent for several reasons. First, it’s not easy to add an agent to a running host. “If we had to deploy an agent, we would only get to about 70% coverage, realistically,” he says. “To get to 100% would require a lot of extra uplift. We have an aggressive roadmap and need to get visibility really quickly. We didn’t want to worry about working with product teams, who are already very busy, to get agents installed.” What’s more, he adds, agents cause a concern about interfering in the performance and availability of running systems.
Scott’s team also briefly looked at tools from several large portfolio vendors but quickly ruled it out due to Scott’s previous experience with those types of organizations. “With large organizations, it can be difficult to influence and work around their roadmap. Innovation and feature requests are much more challenging when you are dealing with a larger organization. This is why I opted to go with a smaller vendor that I can work with to shape and mold the product to our team’s needs.”
“I prefer to work with startups who are responsive and in tune with their customers, where you have an opportunity to influence the roadmap and shape what they do. Orca is that kind of company.”
Head of Security and IT
The importance of business context
Scott says that security tools typically fail to provide business context from the environment they are in. They don’t understand that an asset or an ID or an IP address doesn’t really mean anything to anybody. It’s just a representation of something. “The context side comes in when you tie that asset or ID to a department, a business unit, a revenue line, or the like,” he says. “It’s easier to make decisions, from a risk or threat standpoint, if I know the context behind that threat.”
The Orca Platform API aids Postman in feeding data about threats and vulnerabilities into existing tooling. Then, security views like Attack Path Analysis show risks in terms of multiple attack vectors. Orca scans workloads out of band and integrates that data with information from the control plane. This allows Orca to prioritize alerts very effectively in a way that tools without context from the control plane cannot. “This is one of the features that sold me on Orca,” says Scott. “It’s definitely valuable to understand what is possible and how critical the risk is. It gives me confidence to know whether we must respond to something right away or if we can just work on it when we can get to it.”
Scott says Orca Cloud Detection and Response (CDR) capabilities take threat context to the next level. CDR solutions detect cloud threats by ingesting and analyzing logs and feeds to detect when anomalous events and behaviors may indicate an attack in progress. Orca’s agentless CDR solution utilizes a snapshot scanning approach that collects data externally from the workloads’ runtime block storage (i.e., the data plane) and retrieves cloud configuration metadata via APIs (i.e., the control plane). Combined, this data is used to gain a contextual understanding of the most urgent cloud threats. “With CDR, we get enough information in the threat alert for us to make a decision about what to do,” says Scott.
Orca’s integrations and API are important to Postman
“The fact that Orca has an API is a big thing,” says Scott. “We’re evaluating SIEM solutions right now and we would like to be able to tie alerts into that so that we can provide additional responses through the SIEM.”
Scott says the Jira integration is another important requirement for Postman. “Everything we do is in Jira, so as long as I can get the tickets out of Orca into Jira, we’re good,” he says. “Orca has a pretty flexible routing methodology, which is critical for us because we have varying levels of complexity with routing tickets to different teams in Jira. As long as Orca has the information from a tagging standpoint, we can generate the mappings and the routing information to any one of 300 backend Jira projects. This is certainly the intent. We’re not quite there yet but we want to get there.”
“The more I can get out of this one solution, the better. I see Orca as the tool where we get all cloud-related security data.”
Head of Security and IT
Gaining visibility and measuring progress across the entire cloud estate.
Prior to deploying the Orca Cloud Security Platform, Scott estimates that they could get to 20% visibility of the entire Postman cloud estate at any given time. “The fact that we can now get visibility across the entire landscape, and across a lot of data services that we may not necessarily be looking at, is nice,” he says. “We have visibility now into things that were just being ignored before. Having everything consolidated in one place, being able to tie risk to it, being able to show the attack paths, seeing it from a contextual standpoint, and being able to query the data—that’s just huge.”
Scott has just begun to use the Orca Security Score to measure progress in improving Postman’s cloud security posture. The overall score is calculated based on performance in five categories, including suspicious activity, IAM, data at risk, vulnerable assets, and responsiveness. “We’re still maturing our security procedures and Orca gives us a way to measure internally how we’re doing,” says Scott.” It’s good to quickly see our score so that I can see we are making progress.”
“I’m very bullish on Orca, both today and where the company is headed. I’m excited to see what comes next.”
Head of Security and IT
Another feature he has dabbled with is Sonar, Orca’s powerful query dashboard for querying data models about the state of the infrastructure. “Sonar is very powerful…I’m glad to see that UI improvements are on the roadmap for later this year. I’d love to be able to use Sonar to populate other areas to get to one source of truth from an inventory standpoint,” says Scott. “It doesn’t make sense to use another cloud security and visibility product when all the data I need is already in the Orca Platform.”
Orca Security is packed with Scott’s “favorite features”
Postman has benefitted from the built-in compliance reports in Orca. “It’s super useful to have the different compliance schemes and the ability to customize them,” Scott says. “I can quickly see where we stand with SOC 2 and ISO, even if we haven’t customized the templates yet. That’s on the list to get to.”
He’s quite excited about the attack path feature and the ability to shift left and get security information earlier in the development pipeline. “I’m definitely excited to see what insights eventually come out of that.”
As a feature-rich tool, Orca allows Postman to get more value out of this one platform and avoid buying additional tools. “Orca can replace some of the AWS built-in tools like GuardDuty. It also satisfies our need for cloud security posture management, entitlement management, and to a certain extent, EDR,” according to Scott. “It’s a solution that gives us security visibility around threats and risks in our entire cloud environment.”