Traceable API Safety Platform Updates – Might 2024
This previous month’s releases embody a serious replace for organizations monitoring the compliance posture of their APIs: Traceable Compliance Insurance policies and Points. We’ve additionally launched span filters for fine-grained concentrating on of API safety assessments, an replace to our Cloudflare WAF integration, and new detection logic for credential stuffing assaults.
Compliance Insurance policies & Points Dashboard
Sustaining an correct and updated API stock and robust safety controls round APIs are key necessities of many organizations’ safety and compliance applications. Many organizations keep and implement their very own organization-specific safety insurance policies along with monitoring compliance towards trade or data-specific regulatory frameworks resembling PCI-DSS. Traceable’s new Compliance Insurance policies make it simpler than ever to take care of and monitor the compliance posture of your APIs towards particular necessities. With Compliance Insurance policies you may:
- Simply monitor and keep compliance together with your group’s safety insurance policies or particular regulatory frameworks like PCI-DSS
- Create fine-grained customized insurance policies to your group’s particular necessities
- Constantly determine endpoints that violate your group’s insurance policies, so you may act shortly to restore your compliance posture
- Evaluate and triage compliance-related points together with API safety testing findings from a unified “Issues” dashboard
- Compliance insurance policies come seeded with some suggestions from Traceable that we see mostly in our buyer’s environments. Yow will discover these below the “Traceable Recommended Policies” part.
Traceable’s new Compliance Insurance policies make it simpler than ever to take care of and monitor the compliance posture of your APIs towards particular necessities.
You should use Compliance Insurance policies to determine violations aside from the usual vulnerabilities that Traceable already identifies. We have now included Traceable-recommended Compliance Insurance policies and PCI-DSS Compliance Insurance policies out of the field. PCI-DSS applies to any group processing fee card data. Our PCI-DSS insurance policies routinely determine API endpoints that expose bank card information and haven’t been scanned for vulnerabilities within the final 30 days, lack encryption or authentication, or comprise particular vulnerabilities.
You too can create fine-grained Customized Insurance policies to help and monitor your group’s particular compliance necessities. Customized Insurance policies could be configured to determine violations based mostly on numerous attributes, such because the surroundings the API is current in, its vulnerability kind, and delicate information in requests and responses.
Violations recognized through Compliance Insurance policies will likely be surfaced within the “Issues” dashboard (previously Vulnerabilities) which additionally contains findings from API safety testing. You possibly can filter by Supply and choose Compliance to view and triage all compliance points.
Violations recognized through Compliance Insurance policies will likely be surfaced within the “Issues” dashboard (previously Vulnerabilities) which additionally contains findings from API safety testing.
Effective-Grained Filters for Focused API Safety Testing
We have now added new filters inside API Safety Testing to allow you to create and run focused assessments on a subset of API site visitors. This lets you run fine-grained assessments extra shortly and effectively. Filtering is now obtainable as a configuration possibility inside particular person Check Suites, or in your Setting Configuration when replay is enabled. Filters could be configured to check solely a subset of the site visitors based mostly on key worth pairs for attributes, request headers, and request cookies.
Enhancements to Credential Stuffing and Volumetric Assault Detection
Credential stuffing is an assault approach by which hackers leverage an inventory of credentials, normally obtained from an information breach or bought on the darkish net, and try and login to an unrelated service. This system could be profitable as a result of many individuals nonetheless repeat the identical usernames and passwords throughout providers, permitting an attacker to take the stolen login from a compromised service and efficiently login to a sufferer service. These assaults usually leverage automation from bots to check a big quantity of credentials towards the login move. Extra subtle attackers could “drip” login makes an attempt over time to evade bot detection.
Traceable has made enhancements to credential stuffing detections. These detections leverage behavioral baselines for login makes an attempt per API endpoint concerned within the signup/registration and login course of. By monitoring conduct throughout profitable and failed login makes an attempt, and utilizing a mixture of request parameters, standing codes, and volumetric thresholds, we determine and block credential stuffing assaults.
We have now additionally made enhancements to volumetric assault detection. We detect spikes in API name counts out of the field by creating behavioral baselines for regular name volumes in order that any time there’s uncommon exercise it may be detected instantly.
In each detections the sources of site visitors concerned are grouped based mostly on widespread traits like IP ASN and Group in order that reliance on IP addresses alone is lowered as distributed volumetric assaults usually contain 1000’s of particular person IP addresses which may cover behind proxies, vpns and many others.
Customized Signature Help for Cloudflare WAF Integration
We have now up to date our Cloudflare WAF integration to incorporate help for customized signatures. Customized signatures that you simply create in Traceable can now be pushed to Cloudflare for out-of-band blocking through the Cloudflare WAF along with the present IP based mostly blocking.
About Traceable
Traceable is the trade’s main API Safety firm serving to organizations obtain API safety in a cloud-first, API-driven world. Traceable is the one contextually-informed answer that powers full API safety – API discovery and posture administration, API safety testing, assault detection and risk searching, and assault safety wherever your APIs reside. Traceable allows organizations to reduce danger and maximize the worth that APIs convey to their prospects. To be taught extra about how API safety may help your corporation, go to https://www.traceable.ai/.
The put up Traceable API Safety Platform Updates – Might 2024 appeared first on Traceable API Safety.
