The inside trace.

AWS WAF and CloudFront: How to Use Them Together

Security is really important. There is nothing like the gut-wrenching feeling of exposing users' data. However, security isn't the most exciting part of web development and is often ignored. Using AWS CloudFront and AWS WAF together, you can add some security to your sites with less work and focus on making features for your users.

How to Test API Security: A Guide and Checklist

APIs are the pipes that connect various applications and (micro)services. As data flows through them, security is of utmost importance to prevent data leakage. Also, since APIs are like doors into your application, they're the obvious entry point for attackers who want to break your system.

WAF vs. RASP: A Comparison and Guide to Leveraging Both

The majority of organizations rely heavily on third-party web applications connected through APIs to generate revenue and serve customers. In many cases, these web applications contain security vulnerabilities.

Try a DevOps Approach to Reduce Security False Positives and Negatives

Better security rules increase false positives — which causes more complacency. Better tools for creating the context for more sophisticated rules and automated workflows can help.

Planning for Modern Application Security Forensics and Exploration

As part of DevSecOps best practices, modern application developers and security teams should borrow techniques from crime scene forensics to investigate and protect against attacks.

Announcing Traceable AI - The First Free API Security Solution

Today marks an exciting milestone for us and for the security industry overall. Today, we are announcing the industry’s first free API security solution.

API Authentication and Authorization the Right Way — Part 3

Teams need to address three core elements to develop an effective yet scalable model for API security.

Shine a Light on Shadow APIs To Improve Security

Shadow APIs lurk outside the sight of normal IT governance processes. The problem: Attackers can use them to access data and applications.

Traceable wins 2021 Fortress Cyber Security Award

Traceable was just named winner of the 2021 Fortress Cyber Security Award for application security. As CTO and co-founder, here's my thoughts on this.

What is Zero Trust in the Cybersecurity Executive Order

The president of the United States signed an Executive Order on improving the Nation’s Cybersecurity. It covers many things, one of which is zero trust architecture. What does this mean?

How Zombie APIs Pose a Forgotten Vulnerability

Like the undead, deprecated APIs can lurk hidden in the background until an attacker gives them new life. The fix? A proper funeral.

Traceable Winner of the Global InfoSec Awards for Next-Gen in Cybersecurity Artificial Intelligence

Traceable was just named winner of the Global InfoSec Awards for Next-Gen in Cybersecurity Artificial Intelligence during RSA Conference 2021. As CEO and co-founder, here's my thoughts on this.

Web API Security: Rule-Based and Signature-Based Only Security Isn’t Good Enough

Attackers have learned to defeat traditional ‘moat around the castle’ perimeter defenses. Modern application security tools offer the answer: distributed tracing and AI that understands the app they protect.

How RASP Has Transformed App Security. What’s Next?

Runtime Application Security-Protection tools have evolved from standalone technology to essential components guarding web applications. But they are falling short. What's needed next?

WAF Versus NGWAF: How They Evolved and Where They Still Fall Short

What's the difference between a WAF and an NGWAF? Does it matter? Enterprises need to look beyond Web Application Firewalls to protect against API vulnerabilities

Why I Joined Traceable

This blog about why my career transition to Traceable has taken longer than expected. My new job in this dynamic company has kept me very busy — in a good way.

How To Avoid Exposing Private Data By Securing APIs

What cloud application security options are available to protect personal data in the API economy?

The Prescription for Vulnerable Mobile Health Apps: Protect APIs

When a security expert tested several dozen mobile health applications, all had API vulnerabilities that could leak personal information. This should be a warning call.

API Security Challenges: How to Manage APIs Amidst Continuous Change

We're living in a world of continuous change, which makes it hard to manage APIs. Read this guide to API security challenges and how to fix them.

Top 5 Ways To Protect Against Data Exposure

Attackers are listening to your API chatter, finding vulnerabilities that reveal valuable (and personal) data. Here’s what developers should consider to protect against excessive data exposure.

The Consequences of Poor Authentication and Authorization Practices in APIs

Everything You Need to Know About Authentication and Authorization in Web APIs - Part 2. In this post, we’ll cover examples of real-world API vulnerabilities and look through the examples to understand how attackers could breach your defenses.

Everything You Need to Know About Authentication and Authorization in Web APIs - Part 1

Part 1: Technologies used to create web applications have fundamentally changed. Authentication and authorization techniques must change with them.

Web Application Security Is Not API Security

Traditional web security was relatively easy: defend the web application like it was the Queen’s castle. With the rise of microservices, however, application security must be smarter.

4 Steps To Secure Requests Between Microservices

As microservices grow in popularity, they present attackers with more opportunities for API attacks. These new security approaches can help.

Does SAST Deliver? The Challenges of Code Scanning

Code scanning performed by Static Application Security Testing tools helps developers find vulnerabilities even as they write code, but at a cost. 

Use the OWASP API Top 10 To Secure Your APIs

Think of the OWASP API Top 10 as a checklist of vulnerabilities that bad actors can use to breach your system. Here’s how to be confident in your application security.

Traceable Defense AI M8 Released

Traceable Defense AI M8 release includes: easier deployment process, extended agent support, extended API Intelligence, easier to find problems, protection additions, improved UX around threat hunting, ability to isolate per environment

6 New Requirements for Securing Microservices vs. Monolithic Apps

The shift to microservices requires new ways to anticipate, plan, and protect web applications. Here are 6 key things to consider when thinking about the transition.

What is the OWASP Top 10?

OWASP has been the face of web application security for almost 20 years. They’ve worked tirelessly to increase the security of the web. One of the most widely known contributions to the industry is the OWASP Top 10 List.

What is Web Application Security?

Web Application Security is security for web apps, right? As with many technical topics, there are plenty of rabbit holes to dive into when discussing web application security, but let’s focus on the critical questions many have about it.

The Shopify Breach: Why Authz Exploits Slip by Most Security Defenses

Lacking the power of AI and machine learning, common security technologies miss API attacks by not seeing the broader business context. Here’s what happened at Shopify.

Application Security in the Public Cloud Requires Shared Responsibility

The shared responsibility model describes how security is shared by both the cloud provider and user. Here’s how modern application and API security requirements change the equation.

Why Was Facebook Vulnerable to an Authentication Exploit?

Even the largest companies in the world are susceptible to API vulnerabilities. How modern security defenses fail — and how to fix them.

Why CISOs are Investing in Traceable AI

Traceable AI has announced a strategic partnership with Silicon Valley CISO Investments (SVCI), an angel syndicate of 55+ practicing CISOs who are putting their money as well as their time and strategic counsel into innovative cybersecurity startups. To find out more about SVCI and what attracted the group to Traceable AI, we conducted a Q&A with one of the SVCI investors, Jonathan Jaffe, CISO at Lemonade.

Does Dynamic Application Security Testing (DAST) Deliver?

The idea behind Dynamic Applications Security Testing (DAST) is pretty clever — a tool that simulates a human penetration tester. With the URL of an app to test, the tool gets its hands dirty and provides a vulnerabilities report. DAST tools are not just contextless fuzzers; they have intelligence and decision-making capabilities which help them show more interesting results. This article discusses different components of DAST tools, how they work together, and challenges they face in the modern development environment.

The Uber API Authorization Vulnerability

Most security defenses would have missed the Uber API authorization vulnerability. Here’s why. To proactively protect applications, modern security programs need to understand the business logic that guides them.

Traceable Defense AI M6 and M7 Released

M6 and M7 bring GraphQL and gRPC, new agent support, OpenTelemetry compatibility, business risk visibility and API risk scoring, many new and configurable blocking rules, lots of new discovered data on your API endpoints, and improved enterprise readiness.

SecOps: Go Beyond Application Security Testing With Runtime Protection

SecOps keeps production environments safe. Now, “shifting left” approaches are needed to secure production applications and APIs.

What Runtime Application Self-Protection (RASP) Doesn’t Solve

RASP is not a plug-and-play technology; it requires a full cycle of validation with existing applications to ensure functionality and performance are not adversely affected. There is a need for a better solution in the application security world that can provide more in-depth insight into attacks as well as detect anomalous behavior.

Protecting Against the Hidden Threats of New Technologies

Modern technologies such as cloud native and microservices applications introduce new threats, often unseen threats. Learn how to uncover the threats and improve your application security against the OWASP top 10 and OWASP API top 10.

The Evolution to Cloud-Native Applications and APIs

Cloud-native, microservices architectures, and API's have become the new building blocks of today's modern apps. With these new technologies comes faster development speeds, more complexity, and more attack surfaces. Due to these challenges, securing modern applications requires a different mindset than before.

Modern Application Security and Supply Chain Attacks - 3 challenges

API Security is a vital part of delivering secure modern applications. Today's supply chain threat vector illustrates yet another reason why teams need to focus on microservice visibility and microservice security - effectively API Security.

Security Observability: Why Tracing?

Why modern applications and api security needs a new paradigm to address the security challenges of modern, cloud-native and microservice applications.

5 Reasons Why App Sec and Eng Teams Must Work Together

Modern applications require security and engineering too collaborate to ensure API security of their cloud-native and microservice-based applications

Secure Kubernetes Architecture: 6 Factors Essential to Success

Modern applications based on containers, kubernetes, microservices, interwoven APIs require several key capabilities to be successful. API security is an emerging challenge that requires focus by all teams.

Financial Services Risk Management: Why Application Security

Protecting modern applications requires a clear understanding of risk, risk mitigation, and business impact. API Security is a critical concern.

Why Web App Firewalls Aren’t Protecting Your Cloud-Native Apps

Modern applications create new and unique security challenges that legacy WAFs cannot fully address.

3 Threat Vectors Addressed by Zero Trust App Sec

Modern Application Security - Good and Bad News part 2

Inon Shkedy, co-author of the OWASP API Top Ten, outlines the application security impact of API security and microservices.

What to Look for in an Enterprise Security Tool

Application security requirements have evolved along with modern, cloud-native application architectures. Learn what you should look for when exploring application security solutions which must address api security.

Modern Application Security - Good and Bad News

This is the first article in a 2-part blog series outlining how application security has changed (or needs to change to address api security).

TraceAI : Machine Learning Driven Application and API Security

API security is a crucial concern when deploying and managing modern applications. Machine learning enables robust, scalable, and resilient application security.

Introducing Traceable

Traceable.ai now available to help teams address modern application security challenges that WAFs cannot. In many ways, we're here as a Web Application Api Protection (WAAP) solution for cloud native applications.