Traceable API Safety Platform Updates – January 2024

Traceable began the brand new yr proper with product updates that convey extra customization, management, and automation to your API testing program, energy deeper investigation and assist new integrations along with your safety ecosystem.

Listed here are the small print on what’s new:

Automate and tailor your API safety testing with Suites

Traceable’s new API Safety Testing Suites empower you to scale your API safety testing program with fine-grained controls and automation. With Suites, you’ve gotten full management over the what, the place, and when of API testing. You may create a Suite utilizing Traceable’s predefined insurance policies or a customized coverage in your group’s particular necessities, choose which particular APIs or API teams you wish to take a look at, and schedule the scan to run on a recurring foundation. 

Along with your customized testing necessities, you need to use Suites to energy testing packages that align with particular compliance and safety frameworks equivalent to HIPAA and PCI-DSS. Three key enhancements make it straightforward to operationalize your compliance-related testing with Suites:

  • Predefined insurance policies on scans designed for normal compliance necessities.
  • Configurable analysis standards that assist you to additional tailor your scan outcomes to the findings which might be most important for you. You may choose predefined analysis standards that align with compliance frameworks together with HIPAA and PCI-DSS, or create customized standards.
  • New dashboard for analyzing scan outcomes, tailor-made to your utility context. You need to use these dashboards to trace outcomes in opposition to particular compliance and safety frameworks (pictured beneath).

 

Traceable clients can entry the brand new performance by navigating to Testing > Suites.

We made a number of extra enhancements that deepen and lengthen our API safety testing capabilities:

  • Coverage enhancements embody protected/unsafe scans, adjustable scans, and a broader number of assault vectors 
  • DAST now helps extra numerous schema varieties, together with OpenAPI Specs and Postman collections
  • API reachability evaluation exhibits reachability standing for all APIs in a Suite, and offers remediation options for detected points


Energy deeper menace looking and investigation with enhanced analytics

We’ve added a number of new fields inside analytics to ship new methods to investigate hint and span information. The brand new fields now accessible are:

  • Question params
  • Path params
  • Request technique
  • Endpoint Sort
  • API Threat Class
  • Information Set IDs
  • API Auth Varieties
  • Is Endpoint Authenticated
  • Is Endpoint Encrypted

Screenshot 2024 02 07 at 9.34.58 AM


You need to use these fields to energy new menace looking and investigation use instances, and reply new questions equivalent to:

  • The place am I seeing GET requests on unauthenticated endpoints?
  • Am I seeing any uncommon exercise on my excessive danger endpoints?
  • Am I seeing any uncommon exercise on my unencrypted API endpoints?  
  • Am I seeing particular threats like BOLA, BFLA, or Scope manipulation on unauthenticated endpoints?
  • Has there been elevated site visitors from particular poorly reputed IP organizations on APIs which additionally return SSN, bank card info and different PCI/PII info?
  • What’s the breakdown of site visitors seen from residential proxies or BOTs on POST and PATCH APIs versus GET and PUT APIs?
  • Has there been a sudden enhance in volumetric and injection based mostly assaults on Login and Cost API’s with excessive API danger which might be unauthenticated?
  • Are most distant code execution and mass task assaults focusing on particular question parameters in URLs of reserving APIs which aren’t encrypted ?

Combine Traceable and your GCP CloudArmor WAF to increase safety

 

January 2024 Release Blog Google Docs


Traceable now integrates with Google’s Cloud Armor WAF to assist enforcement of customized blocking insurance policies. When the combination is enabled, making a coverage in Traceable will robotically create corresponding guidelines in GCP. The mixing consists of assist for any customized coverage guidelines and for menace actors, enabling you to implement blocking within the WAF for menace actors recognized by Traceable.

 

Ship Traceable occasion logs to your SIEM in Syslog format

Screenshot 2024 02 07 at 8.48.56 AM

Traceable now helps occasion logs in Syslog format, permitting you to ship Traceable occasion logs to any SIEM platform with Syslog assist. This permits safety operations groups to convey Traceable occasion information into the instruments they’re already utilizing, and use their SIEM to construct playbooks for triage, investigation, and response of malicious or suspicious API occasions recognized in Traceable. Syslog assist is now accessible and also you study extra about utilizing the characteristic in our docs. 

 


About Traceable

Traceable is the business’s main API Safety firm serving to organizations obtain API visibility and assault safety in a cloud-first, API-driven world. Traceable is the one clever and context-aware resolution that powers full API safety – API discovery and posture administration, API safety testing, assault detection and menace looking, and assault safety anyplace your APIs reside. Traceable permits organizations to reduce danger and maximize the worth that APIs convey their clients. To study extra about how API safety might help your small business, e book a demo with a safety skilled.

Recent articles

9 Worthwhile Product Launch Templates for Busy Leaders

Launching a product doesn’t should really feel like blindly...

How Runtime Insights Assist with Container Safety

Containers are a key constructing block for cloud workloads,...

Microsoft Energy Pages Misconfigurations Leak Tens of millions of Information Globally

SaaS Safety agency AppOmni has recognized misconfigurations in Microsoft...

LEAVE A REPLY

Please enter your comment!
Please enter your name here