This previous month’s releases embody a significant replace for organizations monitoring the compliance posture of their APIs: Traceable Compliance Insurance policies and Points. We’ve additionally launched span filters for fine-grained concentrating on of API safety assessments, an replace to our Cloudflare WAF integration, and new detection logic for credential stuffing assaults.
Compliance Insurance policies & Points Dashboard
Sustaining an correct and updated API stock and robust safety controls round APIs are key necessities of many organizations’ safety and compliance packages. Many organizations keep and implement their very own organization-specific safety insurance policies along with monitoring compliance in opposition to trade or data-specific regulatory frameworks equivalent to PCI-DSS. Traceable’s new Compliance Insurance policies make it simpler than ever to keep up and monitor the compliance posture of your APIs in opposition to particular necessities. With Compliance Insurance policies you may:
- Simply monitor and keep compliance together with your group’s safety insurance policies or particular regulatory frameworks like PCI-DSS
- Create fine-grained customized insurance policies in your group’s particular necessities
- Constantly establish endpoints that violate your group’s insurance policies, so you may act shortly to restore your compliance posture
- Assessment and triage compliance-related points together with API safety testing findings from a unified “Issues” dashboard
- Compliance insurance policies come seeded with some suggestions from Traceable that we see mostly in our buyer’s environments. You will discover these beneath the “Traceable Recommended Policies” part.
You should utilize Compliance Insurance policies to establish violations other than the usual vulnerabilities that Traceable already identifies. We’ve got included Traceable-recommended Compliance Insurance policies and PCI-DSS Compliance Insurance policies out of the field. PCI-DSS applies to any group processing fee card info. Our PCI-DSS insurance policies routinely establish API endpoints that expose bank card knowledge and haven’t been scanned for vulnerabilities within the final 30 days, lack encryption or authentication, or comprise particular vulnerabilities.
You can too create fine-grained Customized Insurance policies to assist and monitor your group’s particular compliance necessities. Customized Insurance policies may be configured to establish violations primarily based on varied attributes, such because the surroundings the API is current in, its vulnerability sort, and delicate knowledge in requests and responses.
Violations recognized by way of Compliance Insurance policies can be surfaced within the “Issues” dashboard (previously Vulnerabilities) which additionally contains findings from API safety testing. You may filter by Supply and choose Compliance to view and triage all compliance points.
Positive-Grained Filters for Focused API Safety Testing
We’ve got added new filters inside API Safety Testing to allow you to create and run focused assessments on a subset of API visitors. This lets you run fine-grained assessments extra shortly and effectively. Filtering is now obtainable as a configuration possibility inside particular person Take a look at Suites, or in your Setting Configuration when replay is enabled. Filters may be configured to check solely a subset of the visitors primarily based on key worth pairs for attributes, request headers, and request cookies.
Enhancements to Credential Stuffing and Volumetric Assault Detection
Credential stuffing is an assault method through which hackers leverage a listing of credentials, normally obtained from a knowledge breach or bought on the darkish net, and try and login to an unrelated service. This system may be profitable as a result of many individuals nonetheless repeat the identical usernames and passwords throughout companies, permitting an attacker to take the stolen login from a compromised service and efficiently login to a sufferer service. These assaults sometimes leverage automation from bots to check a big quantity of credentials in opposition to the login circulate. Extra refined attackers might “drip” login makes an attempt over time to evade bot detection.
Traceable has made enhancements to credential stuffing detections. These detections leverage behavioral baselines for login makes an attempt per API endpoint concerned within the signup/registration and login course of. By monitoring habits throughout profitable and failed login makes an attempt, and utilizing a mixture of request parameters, standing codes, and volumetric thresholds, we establish and block credential stuffing assaults.
We’ve got additionally made enhancements to volumetric assault detection. We detect spikes in API name counts out of the field by creating behavioral baselines for regular name volumes in order that any time there may be uncommon exercise it may be detected immediately.
In each detections the sources of visitors concerned are grouped primarily based on widespread traits like IP ASN and Group in order that reliance on IP addresses alone is lowered as distributed volumetric assaults sometimes contain 1000’s of particular person IP addresses which might conceal behind proxies, vpns and many others.
Customized Signature Help for Cloudflare WAF Integration
We’ve got up to date our Cloudflare WAF integration to incorporate assist for customized signatures. Customized signatures that you just create in Traceable can now be pushed to Cloudflare for out-of-band blocking by way of the Cloudflare WAF along with the present IP primarily based blocking.
About Traceable
Traceable is the trade’s main API Safety firm serving to organizations obtain API safety in a cloud-first, API-driven world. Traceable is the one contextually-informed answer that powers full API safety – API discovery and posture administration, API safety testing, assault detection and menace looking, and assault safety anyplace your APIs reside. Traceable allows organizations to reduce danger and maximize the worth that APIs deliver to their clients. To study extra about how API safety can assist your enterprise, go to https://www.traceable.ai/.
