Traceable API Security Platform Updates – August 2023

The Traceable AI team showed once again how radically customer-focused we are with a release chock full of customer-requested and customer-inspired enhancements. Here are some of the exciting additions that happened in August 2023.

Re-designed Vulnerabilities Dashboard

The Vulnerabilities Dashboard (part of the discovery and posture management capabilities) has been re-designed to better serve as the unified vulnerability management screen. It now lists vulnerabilities by vulnerability type, with filters and groupings so you can quickly focus on what you are looking for (e.g. all high-severity JWT vulnerabilities).

The new Vulnerabilities Dashboard also makes it quick to get to the evidence to understand exactly what led to an identification. You can now easily click through to the details within the dashboard, from the vulnerability to the API endpoint to the traces and spans in which the vulnerability was found.

Here’s a short video of it in action:

New/enhanced vulnerability detections in live traffic

11 detections have been added/enhanced that identify vulnerabilities in live traffic: Multiple API Versions, Excess Data Exposure, Error Based SQLi, Open Redirect, JWT Weak Algorithm, JWT Expiry and IssuedAt not set, Directory Listing, Enumerable Param, Missing CSP Security header, Java serialization objects, Persistent Cookie contains Sensitive Data.

This means that Traceable is now always watching for these issues through all live traffic, including in production environments, and will flag them if they are seen.

Here’s a short video showing some of these additions:

New conformance analysis tests

Some new tests and outputs have been added to the conformance analysis results for a more complete picture of how well observed API traffic matches the documented specifications.

Authentication-type mismatches & content-type mismatches – Two new conformance tests have been added that check for mismatches between the “authentication type” & the “request content type”. For example, this will flag if the specification says an API endpoint should be using JWT authentication, but it is observed to be using basic authentication instead.

Matched endpoints without issues – You can now view all endpoints that were checked and matched without any issues under the “Matched endpoints without issues” details panel. The results previously showed only problematic endpoints. Now you can validate if an endpoint in question was scanned and checked out clean.

Here’s a short video of these additions:

Schedule recurring conformance analysis runs

You can now create recurring schedules for when conformance analyses are run on your various applications and APIs. This enables auto-analysis at different frequencies for different applications and/or API sets, to meet different organizational requirements.

Here’s a short video of it in action:

Use AWS tags to identify data collection

AWS VPC mirroring data collection now supports identifying where data collection should occur by using AWS Tags. These tags can be specified by using just the keys or key/value pairs. This will make it much easier for you to specify mirroring sources.

AWS mirroring data collectors supported on ARM

AWS ARM-based instances provide better performance at a lower price. To help reduce infrastructure costs for customers who are mirroring high volumes of data, support has been added for AWS ARM-based instances to run Traceable data collectors.

About Traceable

Traceable is the industry’s leading API Security company that helps organizations achieve API protection in a cloud-first, API-driven world. With an API Data Lake at the core of the platform, Traceable is the only intelligent and context-aware solution that powers complete API security – security posture management, threat protection and threat management across the entire Software Development Lifecycle – enabling organizations to minimize risk and maximize the value that APIs bring to their customers. To learn more about how API security can help your business, book a demo with a security expert.