Traceable secures the world’s first API-driven, open, and modern card issuing platform
A large card-issuing and payment solutions company obtained granular visibility and actionable intelligence into complex API behavior with Traceable AI, detecting and responding to API threats faster and more efficiently.
Company: A card issuing and payment solutions platform
Customer: This payment and card solutions platform provides developers with advanced infrastructure and tools for building highly configurable payment cards using open APIs.
Challenge: The company’s application security team was challenged to understand how the various microservices and APIs behave, whether they are accessing and sharing data securely, and if there are any vulnerabilities that could expose the APIs to misuse.
Solution: After evaluating offerings from Signal Sciences and Sqreen, the platform selected Traceable AI for its advanced observability and ability to quickly and accurately detect security threats across all calls, front to back and top to bottom, in the APIs.
28x faster triage time – down from 4 WEEKS TO less than 24 HOURS
Accelerated API fixes by 6x – down from quarterly to 2 weeks
Nearly 200,000,000 API calls per year and growing
Strengthens overall security posutre
Clear priorities to detect and respond to issues
Enhanced feedback loop between application security and product engineering
A card issuing and payment solutions platform is disrupting the world of payment cards. Physical cards, virtual cards, credit, debit, prepaid cards—by using an API-driven, open, and modern card issuing platform, this company is able to create many payment options for consumers.
The company’s application security engineering group was responsible for keeping that core business platform protected from API threats that could compromise its performance, availability, and data integrity. The Senior Manager for the Application Security Engineering team explained, “Our platform has grown and evolved over the last decade to include many niche APIs, as well as the monolithic core API, which we’ve been reimplementing with microservices. The number one challenge for my product security team is understanding what microservices and APIs have access to which forms of data, whether that access is authenticated and secure, and whether there are any opportunities in the public-facing APIs for misuse or abuse.” The team was facing significant challenges in managing the security of the product, from basic application security to customer onboarding, provisioning internal services, data security, and privacy engineering.
Like a lot of security professionals, this Manager deployed WAFs to inspect application traffic and look for malicious behavior. However, because WAFs rely on signatures, she noted, “Detection at the WAF layer can never truly be accurate with regard to the threats. Customers were still finding and reporting defects before we were. Our small team simply couldn’t keep up and we finally recognized that the WAFs were causing us more trouble than they were worth.” WAFs addressed security on a web application level, but APIs follow their own logic and structure. The company needed tooling to protect against targeted API attacks on APIs which are not secured by WAFs.
Senior Manager, Application Security Engineering
Traceable AI provides clear priorities in terms of what to focus on and that’s helping us detect and respond to issues, as well as validate defects much faster. We can now measure our triage within a 24-hour cycle and, in some cases, within an eight-hour cycle instead of taking over 4 weeks.
Traceable AI opens up a whole new world of API insight
The Senior Manager and her team started searching for a way to either shore up the WAFs or find an alternative security solution. Whatever direction they took, they had to ensure that the solution did not impede the availability and throughput of application traffic. The leader pointed out, “We’re dealing with transactions that are always flowing and we cannot suffer any downtime without there being a significant financial cost.”
The team evaluated offerings from Signal Sciences and Sqreen but found shortcomings in terms of observability and the ability to recognize the source of malicious API activity. Signal Sciences has a diluted API security roadmap, with limited visibility into occurrences within an application, following a basic WAF feed that is continually enhanced. Sqreen is little more than an in-app WAF, which results in the same concerns the company was trying to resolve. “When it came to understanding what triggered the bad requests, the behavior of the underlying API, or anything that would give us more detail, they were just lacking richness,” the Senior Manager said.
The New Normal: Traceable Accelerates time to detect and respond
Traceable’s API Catalog helps to address their immediate concerns about API visibility and security posture. Simply put: you can’t protect what you can’t see. Without an up-to-date inventory of their APIs, they struggled to detect changes and to identify shadow, unknown and outdated APIs.
With Traceable AI, the team has been able to dramatically reduce the time spent investigating issues within the APIs. Specifically, API Catalog allows for automatic and continuous API discovery that gives comprehensive visibility into all APIs, sensitive data flows, and risk posture – even as your environment changes. The result is a comprehensive and immediate view of their API security posture. Prior to deploying Traceable, the product security team would consistently spend over 4 weeks triaging potential API security incidents. Most of that time was spent trying to understand what the API was doing, tracking down the source of the malicious requests, and then estimating the blast radius to determine what services might be impacted.
“Once we began to deploy Traceable AI, we saw significantly more data compared to the kinds of information we were previously surfacing in triage,” the manager reported, “Traceable AI provides clear priorities in terms of what to focus on and that helps us detect and respond to issues, as well as validate defects much faster. We can now measure our triage time within a 24-hour cycle and, in some cases, within an eight-hour cycle instead of taking over 4 weeks.”
Shift Left API Security is Now Possible with Traceable
By uncovering issues and defects faster, and with detailed information on the source of the problem, the payment platform’s development team can now produce fixes much faster. The Senior Manager noted, “Our product engineers have their own sprints and development cycles, and it was hard for our security team to keep up with them in the past. Now that we can provide our engineers with useful data about defects much faster, we’re seeing them resolved within a two-week sprint cycle compared to taking a whole quarter or longer. It’s helping us be more effective as a product security team and, ultimately, to produce a better product.”
Common framework for security and DevOps collaboration
With greater observability and rich data on the behavior of this platform’s APIs, the Senior Manager and her team are able to work more closely and collaboratively with the company’s DevOps teams. Using Traceable as a single pane of glass, the two groups now have a common view of the APIs serving as a reference point for evaluating abuse or misuse scenarios, exploring use cases that specifically apply to security, and brainstorming ideas for validating threat models. Traceable enables the company to release more secure products while supporting more effective security and developer teams.
She noted, “The feedback loop between application security and product engineering is much better now in terms of helping our engineers understand how certain changes in our APIs improve our security posture. In the modern world, security teams can’t be expected to constantly educate—the human resource burden is too great. Traceable AI enhances our capacity to frame discussions about security implications with our engineers.”
She concluded, “We have found that it’s not only the accuracy of detecting API issues and threats, but also the ability for everyone to be more cognitively aware of how API behavior relates to our security posture that has made Traceable AI truly invaluable.”
For more information on Traceable AI and our solutions, please visit traceable.ai.