Track Sensitive Data Flows
People want to see end-to-end data tracing to know where data gets handled by which APIs and where there is more data flowing than there should be. For example, if there is a date of birth, credit card, or some other PII data, how does it flow through different microservices, different APIs, and should those APIs be exposing certain PII? Seeing which APIs touch which data is important to understand and manage an application’s API security posture.
Company: The company uses ML to provide businesses with tools to target buyers in strategic ways
Sector: Media (Advertising & Marketing)
Role: Product Security Lead
The company’s products are all about collecting and using insights from data, much of it data that needs to be protected. But the company was concerned that it did not have good visibility of how sensitive data was flowing through its internal systems and external microservices and APIs. Their security teams wanted to know when any API responded with sensitive data that it shouldn’t be exposing. The company was striving to achieve MVD (minimal viable data (sensitive)).
The Traceable AI API Catalog capabilities are enabling the company to get visibility into which of their microservice APIs are handling sensitive data, what type of sensitive data, and how the sensitive data is flowing across their application landscape. Features that are enabling this are
API Discovery – catalogs all APIs in their application landscape, including which microservices are talking to which
API DNA – brings visibility of all endpoints and their parameters, including whether or not they are properly authenticated and if they include sensitive data.
API Risk Monitoring – capability continuously evaluates all API endpoints and provides a risk score based on 30+ criteria which can be used to identify APIs to avoid using, or which need higher priority attention.
Sensitive data classification and filtering – auto-classifies sensitive data types and provides filtering for different sensitive data types throughout the user interface.
Full application context – Traceable is able to provide full visibility and flow of sensitive data of an application because it traces API communications through North/South and East/West application traffic. This means also seeing when internal systems hand off data to each other, not just when the data crosses out to 3rd party services.
How Traceable AI helped
Sensitive data visibility and flow – Traceable API Discovery and DNA provided a full up-to-date dependency map of which microservices called which, and a specification of all the APIs being used which included if they contained sensitive data or not. The combination of this information provided the company visibility into the flow of sensitive data across their application landscape.
Identify sensitive data at risk – Traceable API Risk Monitoring continuously calculates a risk score for every API endpoint including if the API handles sensitive data and if it is properly authenticated. Along with 30+ other criteria, this overall risk score helps the company to quickly identify APIs where sensitive data might be at risk.
Catch mistakes with sensitive data early – Traceable deep visibility of what sensitive data is being handled by every API enables the security team to quickly see if sensitive data is being handled by APIs that aren’t supposed to be handling it.
Security and Dev teams on the same page – Being able to visualize where the sensitive data is and how it is flowing makes issues more clear and tangible. This shared data helps development and security teams to collaborate on necessary fixes.
Customer value in technical, business, and ROI/financial terms
Releasing more secure products – Traceable is helping the company to catch early the improper use of their APIs, developers making mistakes, and minor data exfiltration issues before they get released, resulting in more secure products.
Save money on bug bounty payouts – Traceable is enabling the company security team to find security issues, such as sensitive data leaks, before bug hunters do, saving bug bounty payouts.
More effective security and developer teams – The security teams are not the experts on the APIs, and the development teams are not the experts on security. The visibility of which APIs have sensitive data handling issues helps both teams to understand what needs to be fixed, and acts as a forcing function to get APIs secure. Both teams are empowered with the data.