Traceable API Security Platform Update: End of 2022
Happy New year from the Traceable team! We want to share some key product updates released in the last two months.
API Catalog – Complete Visibility and API Governance
Improved automatic authentication detection
Detecting that an API endpoint is properly authenticated is important for identifying the risk level of the endpoint. For example, if we detect the endpoint handles sensitive data but that it is not authenticated then it is a higher risk than if it is.
There are many different authentication types and ways that the credentials can be passed, such as a JWT token buried in a response body. Recent improvements to authentication type detection rules have improved the detection accuracy of if an API is authenticated, and how it is.
Authentication types recognized now include basic auth, API keys, bearer token, digest auth, OAuth 1.0 (+HMAC), OAuth 2.0, MAC, and client secret.
Improved UX for Data Classification
Sensitive data classification comes with a lot of pre-defined data types and data sets out of the box such as GDPR, HIPAA, PCI DSS, PII-NA, etc. However, the ability to customize the data types and data sets is important to ensure that Traceable identifies your organization-specific sensitive data types and sets, such as VIN ID if you work with automobiles, or the correct pattern to find your memberIDs.
The data classification user experience has been enhanced to make it easier to manage data sets and data types and for quicker access to the details throughout the UI. It’s all about making it easier to protect your sensitive data.
3rd Party API detection
Security teams don’t typically have good visibility of what sensitive data is being shared to which 3rd parties via APIs. And while development teams might know the part they worked on, there is usually not a centrally shared view. This presents a large blind spot in protecting your data.
Traceable now has the ability to easily identify 3rd party APIs being called and what sensitive data they are handling. 3rd party API endpoints are now listed on their own screen with clear indications of the sensitive data they are handling, as well as the service which is calling it.
Improved user attribution rules
User attribution rules define how Traceable finds identity information in API calls to correlate user activity. The ability to customize these rules improves the flexibility and accuracy of identity tracking which can vary between organizations and applications.
A new interface makes creating and managing user attribution rules simpler. These changes also add the ability to set the order of rules to determine evaluation precedence.
API Threat Protection
Dynamic Thresholds in Rate limiting
In addition to the static thresholds for rate limiting, new dynamic thresholds protect your APIs against volumetric attacks with the flexibility of mean-based thresholds, configured per different source criteria.
Traceable now offers the ability to get alerts or block activity every time API endpoint access rates go over the mean access rate for that API endpoint (aggregated over a user-configurable baseline interval in days).
This is combined with IP reputation and the type of the source (bot, TOR, VPN, proxy, etc) which allows customers to set different thresholds for regular users versus automated bots versus traffic coming from other sources.
Threat Intelligence Integration
Bot, TOR, proxy, and VPN IP-type data from threat intel sources are now correlated with detections from Traceable to have a comprehensive understanding of API threats. Attacker threat score, tracked by Traceable, is combined with TOR or bot information to provide further accuracy of incident detections. Threat actor, threat activity, and data protection screens leverage this data.
Security Analytics – In-Depth API Intelligence
Now when doing forensics, threat hunting, or root cause analysis using Traceable’s explorable API transaction data lake, you can filter and search based on IP type (bot, TOR, VPN, etc), abuse velocity, IP reputation, ASN, and connectivity type (mobile, residential, corporate, etc). This has helped numerous customers identify malicious actors and fraudulent users at the API layer in use cases ranging from sensitive data exfiltration, to account creation, to free credit abuse fraud.
API Security Testing
AST Scan Policies
It’s now possible to create, edit, and delete AST scan policies. Policies can be set to focus on specific purposes, such as teams, use case, or environment. There is an all-new policies screen that will help users manage their policies, and policies can also be scheduled.
Run AST scans using OpenAPI Specifications or Postman Collections
Traceable’s API Security Testing module now supports importing OpenAPI Specifications to run the security scan for your APIs. You can also provide a Postman collection via CLI and run AST scans using the collection.
These two new methods of input enable running scans without having live traffic or needing to instrument your application. Traceable generates traffic based on the specs/collections and then uses it to create API entities, test suites, and test APIs. We call this smart DAST.
OWASP API Top 10 Coverage
Traceable AST scans cover the complete OWASP API Top 10. This helps customers to test their posture against all OWASP API Top 10 risks. Traceable is continuously refining and adding new testing capabilities to the API Security Testing module.
Environment-based role-based access control
As larger enterprises start onboarding users to Traceable they would like to provide access to users to specific environments only (eg API security testing users should have access to Dev and Staging while the Infosec team needs to have access to prod environments). This can now be achieved by adding users to relevant environments or updating their access for existing users.
Environment-specific policy configurations
Given APIs and corresponding microservices vary per environment, the access control policies need to be enforced at an environmental level. If customers have web-facing REST APIs in a single environment in Kubernetes front-ended by Apigee the policies will be different from the ones for partner API which could be in a different environment which is behind an F5. You can now apply policies per environment so there are no overlaps and no unintended consequences if the rules clash.
The Traceable platform relays and data collectors are released asynchronously from the platform features and the details can be found in the data collection release notes.
Here are a few highlights:
- Hashicorp vault integration – Traceable data collector 1.25.0 release supports using the secret keys stored in a HashiCorp vault. You can achieve this using either Helm values or Terraform.
- eBPF OpenShift SCC deployment – Traceable data collector 1.25.0 release supports deploying eBPF in an OpenShift SCC environment.
- eBPF egress data capture – Traceable data collector 1.25.0 release for eBPF supports capturing of egress data.
- eBPF select pods for installation – When deploying eBPF you can now select the pods to install to by using Kubernetes custom selectors
- AWS VPC mirroring – Traceable data collector 1.26.0 release provides a Terraform template for AWS VPC mirroring.
- Traceable platform service as headless service in Kubernetes – Traceable data collector 1.26.0 release provides the ability to run Traceable Platform service headlessly in Kubernetes. This helps enable GRPC client-side load balancing for Traceable’s tracing data collector. In the 1.26.0 release, only the Go data collector supports this client-side load balancing.
- Processing pipeline improvement – 1.26.0 optimizes the Traceable data collector’s processing pipeline to improve the performance of the data collector’s span exporter.
- Various bug fixes.
See the data collection release notes for other additions and more details.
Traceable is the industry’s leading API security platform that identifies APIs, evaluates API risk posture, stops API attacks, and provides deep analytics for threat hunting and forensic research. With visual depictions of API paths at the core of its technology, its platform applies the power of distributed tracing and machine learning models for API security across the entire software development lifecycle. Book a demo today.