Navan is a corporate travel and expense management platform trusted by thousands of enterprises globally. APIs are core to Navan’s application architecture, powering bookings, payments, and integrations with travel partners. Navan’s application security team, led by Staff Security Engineer Tarik Ghbeish, recognized that API security played a major role in the company’s overall security posture.
Prior to Traceable, Navan had implemented another API security tool that gave them visibility and basic protection, but did not offer robust testing capabilities. The Navan team realized they needed to close the testing gap when their bug bounty program discovered a vulnerability in some of their APIs that could potentially expose private data. They replaced their previous solution with Traceable for comprehensive API discovery, testing, and protection in one platform. Traceable automatically tests their APIs and allows the team to write custom tests to detect and prevent specific vulnerabilities. Implementing Traceable’s testing capabilities enables Navan to improve their overall API security posture and continuously release secure software.
Navan is a technology-first corporate travel, corporate card, and expense management platform trusted by thousands of companies around the world. Navan’s software allows users to easily book, view, and manage business travel and expenses, and provides finance leaders with real-time spend visibility and control. With physical and virtual cards, smart policy management, and automated expense reports, Navan streamlines the entire business spending process. Navan’s platform is powered by APIs, including critical integrations with travel and payment partners.
• Inability to identify and investigate API vulnerabilities in a scalable, comprehensive way
• Lacked automated and custom testing capabilities with previous API Security solution
• Lack of historical data and API context required for incident response
• Saves budget: Traceable testing capabilities eliminated the need to purchase a separate DAST tool
• Saves time: Automated testing replaced manual testing previously conducted by 3 engineers
• Scales: Traceable enabled Navan to consistently and automatically test all their APIs, improving overall security posture
Navan’s Application Security team, led by Staff Security Engineer Tarik Ghbeish, was working to mature their application security program. They recognized the importance of API security, and adopted a tool that provided visibility into API activity. The company also had an active bug bounty program that allowed white hat hackers to report discovery of application vulnerabilities. One bug bounty report disclosed a vulnerability in one of Navan’s APIs that might have allowed an authorized user to access data across other tenants that they should not have been able to access. Navan’s application security team uncovered the same cross-tenant vulnerability in a few other APIs via manual testing.
Ghbeish and his team needed to find and remediate any additional instances of the vulnerability across all their APIs, but manual testing was difficult to scale. They also needed a process to ensure that developers wouldn’t reintroduce the same vulnerability when
making changes.
Navan’s previous API Security solution lacked the automated testing capabilities Navan’s application security team needed to comprehensively test their APIs for the cross-tenant vulnerability and other API issues.
I was aware of 4 APIs with this pattern, and positive that this pattern repeated in our code, but I had no way to gauge how far. I suspected it was very deep, and knew we needed a tool that would let us analyze that.
Navan’s team didn’t have a scalable way to investigate the extent of the issue. The testing they were able to do was manual and reactive.
In the year prior to Traceable, we had team members who would either conduct burp suite tests, or leverage other tools to try to evaluate identified areas of concern. This was all more response-driven, and was difficult to accomplish. We didn’t have anything that would enable focused, proactive testing of all of our APIs.
Navan realized that they needed a tool that could automate testing across all their APIs, both in production, and during the development process, to detect vulnerabilities in API changes before developers released them to production. Ghbeish wanted a tool that offered the ability to write custom tests, so that he could specifically identify and fix other instances of the cross-tenant vulnerability.
Navan’s Application Security team works closely with other security functions in the company, including Incident Response and Fraud. The incident response team collaborates with the Application Security team for assistance identifying what sequences of activity occurred in the application at the time of an identified incident. Similarly, the fraud team works with the Application Security team to understand typical user behavior, in order to identify potentially fraudulent activity. Typical fraud attempts may include fake account creation, fraudulent credit card creation, or theft.
Having a record of API activity and understanding the historical behavior of API users could provide incident response and fraud teams with important context as part of their investigations. Navan’s previous API security tool provided API cataloging and basic protection capabilities, but lacked an API data lake for collection and analysis of API telemetry that could provide context to these investigations. They needed a tool that would provide API observability when researching incidents, while also meeting their API testing requirements.
While our primary goal was to find a tool that can also do testing, we also recognized the need for an API Security Platform that could monitor our APIs and API traffic and capture richer data to power investigation.
The Navan team initially considered a DAST tool to meet their testing requirements, but realized they could get everything they needed in one platform: Traceable. Traceable’s comprehensive API security platform not only met their requirement for API testing, but also provided an end-to-end API solution that also included API discovery and posture management, attack detection and threat hunting, and protection, all powered by deep analytics and an API security data lake.
With Traceable, Navan found an API Security Platform that not only offered their much needed testing capabilities, but also provided exceptional support during onboarding and beyond. Due to the complexity and maturity of their own product, Navan knew that whoever they selected would need to be able to not only support their onboarding process, but also be responsive enough to custom instrument for their environment.
We run ECS on AWS Fargate and not everybody supported that. In fact, Traceable didn't support that when we first started talking, but the team quickly worked to ensure that support was complete by the time we were ready to test.
This top-class support experience distinguished Traceable from other API security companies and gave the Navan team confidence that they would have a trusted partner on their API security journey.
With Traceable’s out-of-the-box and custom testing capabilities, Navan’s Application Security team was able to scale vulnerability testing across all of their APIs. They previously knew about vulnerabilities in 4 APIs, and with Traceable they found vulnerabilities in 50+ APIs. Traceable’s platform allowed them to create a custom test to detect the cross-tenant vulnerability they had discovered in a few of their APIs, enabling them to identify and remediate all instances of the vulnerability.
We knew the vulnerabilities were there, and without a platform like Traceable, we had no way to uncover them in a repeatable way. Now, as people publish new APIs, we can test them immediately.
Traceable has allowed the application security team to get ahead of vulnerabilities before others can identify and exploit them.
When we do get bug-bounty reports, the vulnerabilities are already known. We’ve already found and remediated it with Traceable.
The Application Security team at Navan has incorporated Traceable into their Product Readiness Review process, which is a review process that determines whether a new feature is ready to be released to the public. Typically, as developers publish new APIs, they work with the Application Security team to run penetration tests. Now, with Traceable, even if developers don’t alert the AppSec team of new APIs, the team has the means to detect them in the system, and automatically test them.
Traceable provides API testing capabilities automatically - without writing custom code or requiring custom pen tests. Traceable enables us to run tests on all these new APIs as they are published in our staging environment. We can now detect potential problems, and conduct the necessary reporting, ticketing, and fixes pre-release.
Prior to selecting Traceable, they were also considering a DAST tool, but Traceable provided the comprehensive testing they were looking for and enabled them to write custom tests.
We decided that with Traceable testing in place, we didn’t need to get a DAST. Traceable also replaces the focused testing that we previously needed two or three people to conduct in the past in response to incidents.
As a security expert, Ghbeish is called upon to investigate when unusual behavior, such as an error in a booking, is identified in the application. He subsequently investigates user and API activity in order to understand what behavior a user is engaged in and whether or their current behavior is typical or abnormal. For these investigations, Ghbeish relies on Traceable’s rich observability and analytics.
With Traceable, I’m able to trace how API calls are connected to each other. This is incredibly valuable. When just looking in the logs, it’s not always clear how things connect. Traceable lets me pull out an API and then trace the whole chain so I can understand the order of operations. It gives me the full context to understand what a user is doing and whether the behavior is normal or not.
Looking ahead, Ghbeish and his team are exploring how to leverage Traceable’s rich API data and protection capabilities to detect fraud on the Navan platform. They are also exploring ways to use Traceable’s platform to conduct security-focused conformance testing and to enhance API documentation. They plan to work with their SRE/Cloud security team to leverage Traceable’s WAF and SIEM integration capabilities.