Know your API attack surface

Knowing your attack surface means having full visibility into what APIs you are exposing, how risky each API endpoint is, and how the different APIs and microservices/services of the application communicate with each other. With the rapid software development and release of today, attack surfaces are constantly changing, so whatever is providing your visibility should be continuously scanning for changes and making updates as well.

Company: FinTech company involved in e-commerce payment transactions

Sector: E-commerce

Role: Application Security Manager

Customer challenge

Customer challenged with knowing their full API attack surface due to lack of visibility. Knowing their full API attack surface meant knowing what and how many APIs they were exposing, if those APIs exposed sensitive data, and what the risk levels were of each API. This lack of API attack surface visibility left company vulnerable to reputation-damaging data breaches (a big problem for companies that handle financial data).

With gRPC based payloads, their existing solution of WAF did not give the needed visibility to solve this.


The Traceable AI API Catalog capabilities are enabling company to overcome their API visibility challenges with

  1. API Discovery – catalogs all APIs in their application landscape, including shadow and zombie APIs, so there are no unknown APIs

  2. API DNA – brings visibility of all endpoints, including their parameters and whether or not they are properly authenticated and if they include sensitive data.

  3. API Risk Monitoring – capability continuously evaluates all API endpoints and provides a risk score based on 30+ criteria which can be used to identify APIs to avoid using, or which need higher priority attention.

  4. User attribution – Traceable uses intelligent user attribution to track user activity across sessions, IPs, resets, and no matter how deeply their user identity is buried. It uses this user attribution to provide an aggregated user storyline across all app activity.

How Traceable AI helped

  1. Full API visibility –Traceable API Discovery and Risk Monitoring provided a full up-to-date inventory of all APIs in the application landscape, including shadow and zombie APIs, and what was the calculated risk score for each API endpoint, enabling the company to be aware of their risks and to prioritize mitigation.

  2. Sensitive data visibility – Traceable API DNA provided a full up-to-date specification of all APIs being used, including what parameters were being used, the data flowing through those parameters, and if they contained sensitive data or not. This enabled the company to catch APIs that unexpectedly handled sensitive data and get the issues resolved quickly. This visibility also made it easy to report to their GRC/compliance team.

  3. Increased attack visibility – Traceable uses user attribution to automatically correlate events and attacks across multiple sessions into related sequences. This enabled the company to effortlessly connect the dots and find attacks and other issues that were not apparent otherwise, including many bad actors who had snuck past their web application firewall.

  4. Intelligent User attribution – The company logins are different than most (login once, ever), so the ability to find session identifiers and track user activity across sessions is difficult. Traceable’s intelligent user attribution was uniquely able to adapt to track user activity, which enabled visibility and insights on user behavior that wasn’t possible with other tools..

  5. No cross-organizational deployment friction – Traceable out-of-band (agentless) deployment option allowed the company teams to quickly deploy and get value out of Traceable with no cross-organizational friction and no risk to existing apps or infrastructure.

Customer value in technical, business, and ROI/financial terms

  1. Raised awareness of application threat levels –Raised the company’s awareness of how many attacks were happening that they should be blocking, and how many undetected attacks were by-passing their front gate. Before Traceable, they thought they didn’t have that many attacks happening. Now they are aware of what and how much they need to protect.

  2. Power and influence – the company Traceable champion has become a hero and now has more influence/power to affect change.

  3. Avoid damaged brand reputation – Because the company is a finance/check-out solution, any mistake or breach would be a big brand reputation problem for them. Therefore it is very important for them to be as secure as possible.

Start tracing.
Start securing.