The Inside Trace

Categories
Date Posted
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

tag

tag

ALBeast: a simple misconfiguration to a complete authentication bypass

ALBeast: a simple misconfiguration to a complete authentication bypass

The ALBeast vulnerability represents a critical security flaw in AWS Application Load Balancer (ALB) authentication implementation that could lead to complete authentication bypass. This vulnerability, affecting over 15,000 applications, stems from improper validation of AWS-specific header claims and misconfigured security groups, allowing attackers to forge authentication tokens and impersonate legitimate users. The issue highlights the importance of proper JWT validation and security group configuration in AWS ALB implementations.
Traceable ASPEN
Security Research

December 19, 2024

JWTs Under the Microscope: How Attackers Exploit Authentication and Authorization Weaknesses

JWTs Under the Microscope: How Attackers Exploit Authentication and Authorization Weaknesses

JSON Web Tokens (JWTs) offer stateless authentication in modern web applications, but improper implementation can expose critical vulnerabilities. This analysis explores attack vectors across JWT components, revealing how small oversights can lead to significant security breaches like privilege escalation and unauthorized access.
Traceable ASPEN

December 12, 2024

The Authorization Maze

The Authorization Maze

This article delves deep into the complexities of authorization in API security, exploring why implementing robust access controls is far more challenging than many engineers realize. Through real-world examples from companies like Airbnb and Uber, the author breaks down different types of authorization vulnerabilities (BOLA, BOPLA, BFLA) and explains the nuanced challenges of creating dynamic, context-aware access policies.
Security Research
API-Security

Help, I'm Being Attacked: Why WAFs & Gateways Won't Stop the Next API Attack

Help, I'm Being Attacked: Why WAFs & Gateways Won't Stop the Next API Attack

Many organizations mistakenly believe that Web Application Firewalls (WAFs) or API gateways provide sufficient protection against API attacks. While these tools offer useful traffic management and basic security features, they fall short when it comes to defending against more sophisticated API threats. WAFs are designed for web applications, not the complex logic and workflows of APIs, leaving them vulnerable to business logic and shadow API attacks. Similarly, API gateways, while helpful for managing API traffic and authentication, often miss critical vulnerabilities. Understanding the limitations of WAFs and gateways is the first step in strengthening your API security strategy.
Foundations
API-Security
App Security

October 24, 2024

Let’s Face It - Criminals are bypassing selfie verification in Know Your Customer processes

Let’s Face It - Criminals are bypassing selfie verification in Know Your Customer processes

Explore how criminals are exploiting selfie verification in Know Your Customer (KYC) processes for neobanks. Learn about the risks, current bypass techniques, and potential solutions for more secure digital identity verification in fintech.
API-Security
Generative AI

October 14, 2024

Why "Check-the-Box” Solutions Are Insufficient for API Security

Why "Check-the-Box” Solutions Are Insufficient for API Security

Why “Check-the-Box” Solutions Are Insufficient for API Security
Compliance
API-Security

September 27, 2024

December Software Release

December Software Release

December was an extremely busy month for Traceable as we worked with customers to protect their environments from the Log4Shell vulnerability.
Releases

February 15, 2022

How to Implement Zero Trust Security in your Applications: A Tutorial

How to Implement Zero Trust Security in your Applications: A Tutorial

Zero trust security is the best answer to modern security threats. Learn how to adopt a zero trust security model in your applications and how Traceable AI can help.
API-Security

July 1, 2022

How to Create Your First Next.js Serverless App

How to Create Your First Next.js Serverless App

This post will walk you through how to create a next js serverless app from scratch. You'll learn how to combine and use Next.js and MongoDB.
API-Security

June 23, 2022

API Breaches: What Should I Know and How Can I Prevent Them?

API Breaches: What Should I Know and How Can I Prevent Them?

It's difficult to implement all the best practices for every possible attack vector, especially since new vulnerabilities are always being discovered. That doesn't mean you shouldn't try.
API-Security

June 30, 2022

GraphQL Fragments: How to Simplify Your API Definitions

GraphQL Fragments: How to Simplify Your API Definitions

What are GraphQL Fragments? How can you take advantage if them to write cleaner code and more efficient applications? Find out here.
API-Security

May 11, 2022

How to Think About and Test API Latency

How to Think About and Test API Latency

In this post, we'll look at API latency including how you measure it, the difference between API response time and API latency, and more.
API-Security

April 15, 2022

Deploying Serverless Applications: The What and How

Deploying Serverless Applications: The What and How

In this article, we'll discuss the benefits of serverless architectures and go through some of the best practices for deploying serverless applications.
No items found.

April 15, 2022

How to Secure Microservices: The 6 Things You Can't Forget

How to Secure Microservices: The 6 Things You Can't Forget

Thinking about how to secure microservices? In this article you'll find 6 things you can't forget when it comes to microservices security.
API-Security

April 1, 2022

Monolithic vs. Microservices Architecture: Which Should I Use?

Monolithic vs. Microservices Architecture: Which Should I Use?

In this post we learn about monolithic vs microservices architectures and understand which to use and when.
No items found.

March 25, 2022

Serverless vs Containers: What's Right for Your Application?

Serverless vs Containers: What's Right for Your Application?

Serverless vs containers: Which one is right for your application? Learn more about these two main approaches to deploying applications.
API-Security

March 29, 2022

What is a CRUD API?

What is a CRUD API?

This post explains what a CRUD API is and how to apply it to different use cases to protect and interact with data in very specific ways.
API-Security

March 28, 2022

How to Mitigate DDoS Attacks on Your APIs

How to Mitigate DDoS Attacks on Your APIs

Learn what DDoS is and what it can do to your API endpoints, how to mitigate DDOS attacks, and build a security response.
API-Security

March 20, 2022

How to Filter Using GraphQL: A Simple Tutorial

How to Filter Using GraphQL: A Simple Tutorial

GraphQL offers a much more efficient, powerful alternative to REST
No items found.

March 18, 2022

5 Best Threat Hunting Tools for Your Security Team

5 Best Threat Hunting Tools for Your Security Team

We now have advanced tools that can make threat hunting easier and more accessible. In this post, learn about 5 threat hunting tools for API security.
API-Security

March 21, 2022

What Is Business Logic? The Inquisitive Reader's Guide

What Is Business Logic? The Inquisitive Reader's Guide

When you build application software and APIs, you'll often hear about "business logic." In this post you'll learn everything about it.
API Sprawl

March 16, 2022

A Beginner's Guide to API Governance

A Beginner's Guide to API Governance

API governance involves sticking to a set of principles when building an API. It's crucial since apps, organizations, and data sources will use the API.
API-Security

March 7, 2022

How Can I Achieve API Compliance?

How Can I Achieve API Compliance?

The world of API compliance is more important than ever today. In this post, dig deeper into API compliance and its importance.
API-Security

March 14, 2022

4 API Security Best Practices

4 API Security Best Practices

API security is a fundamental part of web applications. It is a great tool to help protect your apps, your business, and your users.
API-Security

March 13, 2022

How to Design Delightful API Architectures

How to Design Delightful API Architectures

delightful-api-architectures
API-Security

March 8, 2022

Sensitive Data Exposure: Why It Hurts

Sensitive Data Exposure: Why It Hurts

It’s very important that we think about how not to expose sensitive data, and that’s what this article is about: Sensitive Data Exposure.
API-Security

March 7, 2022

3 API Vulnerabilities to Look Out For

3 API Vulnerabilities to Look Out For

Every week, new API vulnerabilities are open to attackers. API security is essential, especially for those who depend on them.
API-Security

March 2, 2022

What Is API Ownership and How Can It Help Your Team?

What Is API Ownership and How Can It Help Your Team?

A guide about API ownership for leadership, senior engineers, security experts, and product managers to make/work better together.
API-Security

March 6, 2022

Microservice Security Principles and Best Practices

Microservice Security Principles and Best Practices

In this post, you'll learn about the most important microservices security principles and some best practices.
API-Security

March 2, 2022

Web API Security: Rule-Based and Signature-Based Only Security Isn’t Good Enough

Web API Security: Rule-Based and Signature-Based Only Security Isn’t Good Enough

Attackers have learned to defeat traditional ‘moat around the castle’ perimeter defenses. Modern application security tools offer the answer: distributed tracing and AI that understands the app they protect.
API-Security
App Security

May 12, 2021

Traceable Defense AI M8 Released

Traceable Defense AI M8 Released

Easier deployment process, extended agent support, extended API Intelligence, easier to find problems, protection additions, improved UX around threat hunting, ability to isolate per environment
Releases

April 11, 2021

Report Recap: A Glimpse into NTT's 2023 Global Threat Intelligence Report

Report Recap: A Glimpse into NTT's 2023 Global Threat Intelligence Report

Explore crucial findings from the NTT Global Threat Intelligence Report 2023, highlighting pivotal cybersecurity insights, strategies, and impacts. Navigate through the complex digital threat landscape, understanding key sectors under attack and safeguarding strategies against persistent cyber threats.
News

October 10, 2023

Navigating the Nebulous: State of API Security Reveals Recommendations for Secure API Ecosystems

Navigating the Nebulous: State of API Security Reveals Recommendations for Secure API Ecosystems

Despite their pivotal role in our digital ecosystems, our recent State of API Security report revealed startling findings about the unknown risks associated with APIs and the gaps in organizational preparedness.
State of API Security

September 17, 2023

Traceable Named a Winner of the Prestigious SINET16 Innovator Award

Traceable Named a Winner of the Prestigious SINET16 Innovator Award

We are thrilled to share that Traceable has been recognized as one of the top innovators in the cybersecurity industry by SINET, securing a spot in the esteemed SINET16 Innovator Award. This accolade is not just a testament to our commitment to excellence but also a reflection of our relentless pursuit of innovation in the cybersecurity domain.
Company
News

September 8, 2023

Manage your external attack surface with new Traceable Sonar

Manage your external attack surface with new Traceable Sonar

Traceable Sonar efficiently identifies and catalogs these assets, granting security teams a panoramic view of their external attack surface. But it doesn't stop at discovery. Sonar delves deep into these assets, pinpointing vulnerabilities an attacker might exploit. By mirroring the probing techniques attackers use, Traceable Sonar equips organizations with critical insights into potential security loopholes.
API-Security
Releases

August 25, 2023

Traceable API Security Platform Updates - July 2023

Traceable API Security Platform Updates - July 2023

The Traceable AI team has been busy adding new capabilities and enhancing existing ones to better meet your API Security needs. Here is a sampling of some of the additions in July 2023.
Releases

August 17, 2023

Unveiling the 2023 State of API Security: A Panoramic Industry View

Unveiling the 2023 State of API Security: A Panoramic Industry View

The 2023 State of API Security: A Global Study on the Reality of API Risk: This report is a labor of profound research and hard work, delving into intricate matters such as API-related data breaches, the growing concern of API sprawl, API ownership, and the risks of fraud and abuse, as well as the growing role of Zero Trust in API Security initiatives.
Company
Foundations
News

September 8, 2023

11 Reasons Your WAF Can’t Secure Your APIs

11 Reasons Your WAF Can’t Secure Your APIs

WAFs are designed to protect your web applications from web application attacks. But they leave you vulnerable to API attacks. This blog discusses the 11 things that WAFs don't do that are needed to properly protect APIs.
API-Security
App Security
Foundations
Technology

August 29, 2023

Introducing Traceable's Digital Fraud Prevention: A New Frontier in API Security

Introducing Traceable's Digital Fraud Prevention: A New Frontier in API Security

At Traceable, we continually push the boundaries of innovation. Today, we're thrilled to announce the latest development in our mission to provide robust security to businesses worldwide - the launch of our Digital Fraud Prevention capabilities.
News
Releases

August 2, 2023

Traceable Named a Leader in the 2023 GigaOm Radar for API Security, Again!

Traceable Named a Leader in the 2023 GigaOm Radar for API Security, Again!

Traceable has, once again, been named a leader in the GigaOm Radar for API Security! We are thrilled to be recognized for our unwavering commitment to innovation, providing the industry’s top-tier solution for API security.
API-Security
Company
News

August 14, 2023

Safeguarding Enterprise Software: Protecting Against Security Pitfalls of Generative AI and LLMs

Safeguarding Enterprise Software: Protecting Against Security Pitfalls of Generative AI and LLMs

In today's digital landscape, the transformative power of artificial intelligence (AI) cannot be overstated. Enterprises across various industries are already exploring ways to leverage AI to improve productivity and enhance customer experiences. One area that has witnessed significant advancements is the usage of Generative AI and Large Language Models (LLMs). However, as cybersecurity professionals, it is crucial to understand the potential security pitfalls associated with their implementation. In this blog, we explore how generative AI and LLMs can be utilized in enterprise software, and discuss effective strategies to guard against the inherent risks.
Generative AI

August 9, 2023

Unveiling the Future of APIs: Key Insights from Postman's 2023 State of the API Report

Unveiling the Future of APIs: Key Insights from Postman's 2023 State of the API Report

Explore key insights from Postman's 2023 State of the API Report in our latest blog post. We delve into the top API security risks, the improvement in API security incidents, sector-specific challenges, the threat of "zombie APIs," and the range of API security tools available. Join us as we navigate the future of API security, turning challenges into opportunities for innovation and growth.
API-Security
News

July 29, 2023

The 2023 Cost of a Data Breach Hits $4.45 Million: Inside IBM's Latest Report

The 2023 Cost of a Data Breach Hits $4.45 Million: Inside IBM's Latest Report

Explore key insights from IBM's "2023 Cost of a Data Breach Report" in our latest blog post. We delve into the escalating costs of data breaches, the importance of strategic security investments, and the role of AI and automation in mitigating these costs. Learn about the significance of secure software development practices, including API security, in enhancing your organization's cybersecurity posture.
API-Security
News

July 29, 2023

The Anatomy of an API Abuse Attack: A Hacker's Process Unveiled

The Anatomy of an API Abuse Attack: A Hacker's Process Unveiled

Unlock the secrets of API abuse attacks with our comprehensive blog post. Explore the anatomy of these cyber threats, from reconnaissance to data exfiltration, and delve into the extended threat landscape. Learn about advanced protective measures, industry standards, and regulations to fortify your API security. Enhance your understanding of API vulnerabilities and arm your organization with the knowledge to counteract malicious activities.
API-Security
Foundations

July 26, 2023

Key Takeaways from Forrester's 2023 State of Application Security Report

Key Takeaways from Forrester's 2023 State of Application Security Report

Explore the key insights from Forrester's State of Application Security report 2023 in our latest blog post. We delve into the complexities of application security, the rise of Software Composition Analysis (SCA), and the importance of API security in today's digital landscape. Learn about the Shift-Everywhere movement and how it's shaping the future of application security. This comprehensive analysis is a must-read for anyone looking to understand the current trends and challenges in application security.
API-Security
App Security

July 29, 2023

Customer Story: Fintech company reduces attack surface by 10x with Traceable's API Security Platform

Customer Story: Fintech company reduces attack surface by 10x with Traceable's API Security Platform

We recently sat down with one of our Fintech customers to discuss their API security journey. Providing digital investment and transaction services, this Fintech company needed to solve for its rapidly expanding attack surface.   In this blog, we’ll summarize their journey with Traceable, providing highlights about how they discovered and secured tens of thousands of APIs in a distributed ecosystem, eliminating manual methods in favor of automatic API cataloging and protection.
API-Security

July 29, 2023

OpenAI's Privacy Fine Stresses Importance of Data Security Amidst AI Advancements

OpenAI's Privacy Fine Stresses Importance of Data Security Amidst AI Advancements

As we venture further into the age of artificial intelligence, the phrase "you can't put the genie back in the bottle" takes on profound significance. It describes a phenomenon that has become all too familiar with generative AI — once these systems learn and generate based on specific data sets, it's almost impossible to unlearn or retrieve that information. This means that if personal or sensitive data is accidentally fed into these systems, the potential for misuse or exposure becomes a looming threat that is virtually impossible to mitigate after the fact.
Generative AI

July 7, 2023

A Deep Dive Into API Security: Unpacking Traceable's Definitive API Security Guide

A Deep Dive Into API Security: Unpacking Traceable's Definitive API Security Guide

API-Security
Foundations

July 1, 2023

Data Loss Prevention in an API-Driven World

Data Loss Prevention in an API-Driven World

Preventing data loss has become incredibly challenging in an API-driven world. Companies lockdown sensitive data internally with access controls, encryption, data classification and data loss prevention (DLP) platforms. They typically safeguard web applications with application security tooling or Web Application Firewalls (WAF). Cloud Security is often implemented with dedicated secure access service edge (SASE) architectures, including cloud access security brokers (CASBs).
API-Security
Foundations

July 1, 2023

Unpacking OWASP’s API9:2023: Improper Inventory Management

Unpacking OWASP’s API9:2023: Improper Inventory Management

Discover the rising significance of API inventory in the evolving landscape of cybersecurity, as highlighted by the recently updated OWASP API Top 10. Our comprehensive blog discusses the crucial role API inventory plays in securing your digital assets, especially against the backdrop of escalating industry standards and regulatory requirements.
API-Security
Foundations

June 13, 2023

40% of Organizations Do Not Have an API Security Solution - Here's What That Means

40% of Organizations Do Not Have an API Security Solution - Here's What That Means

At the 2023 RSA Conference, a survey conducted by Traceable brought some troubling facts to the surface about how organizations are handling their API security — a theme that has become ground zero in cybersecurity circles.
API-Security
News

July 1, 2023

5 Cybersecurity Leaders to Follow in 2023

5 Cybersecurity Leaders to Follow in 2023

These are five cybersecurity leaders you should follow in 2023. Their contributions to the field have revolutionized our understanding of cybersecurity and paved the way for the next generation of cyber professionals.
API-Security
News

July 1, 2023

Why APIs are a Gateway for Credential Stuffing Attacks

Why APIs are a Gateway for Credential Stuffing Attacks

This informative piece is a must-read for decision-makers in the cybersecurity industry looking to bolster their defenses against API abuse and credential stuffing attacks."
API-Security

June 30, 2023

Recent MOVEit Exploits: SQL Injection to Web Shell to Data Exfiltration

Recent MOVEit Exploits: SQL Injection to Web Shell to Data Exfiltration

In the last few weeks, the security community has been shaken by a series of exploits targeting MOVEit, a popular file transfer software. These incidents have exposed critical vulnerabilities, allowing threat actors to compromise sensitive data and exploit organizations ranging from the BBS to several arms of the US Government.
API-Security
App Security
Breach Analysis
News

June 26, 2023

The Imperative of API Ownership: A Nexus of Development and API Security

The Imperative of API Ownership: A Nexus of Development and API Security

This blog delves into the transformative impact of API ownership on cybersecurity, arguing that security markedly improves when there is a defined owner who understands the API, its use cases, and potential vulnerabilities, and is accountable for its secure operation. API ownership, while requiring some organizational reorientation, is an investment in future-proofing against security breaches and a crucial component of an effective cybersecurity strategy.
API-Security
Foundations

June 21, 2023

OWASP API Security Top 10 List 2023 Refresh

OWASP API Security Top 10 List 2023 Refresh

API-Security
Company
Foundations
News
Releases

June 8, 2023

Key Takeaways from the 2023 Verizon Data Breach Investigations Report

Key Takeaways from the 2023 Verizon Data Breach Investigations Report

Explore the major findings from the 2023 Verizon Data Breach Investigations Report in our latest blog post. We delve into the rise of social engineering attacks, the human element in breaches, the most affected sectors, and the significance of web application attacks in today's cybersecurity landscape.
API-Security
App Security
Breach Analysis
News

June 7, 2023

Operationalizing Zero Trust for APIs: Pioneering Robust Cybersecurity Frameworks for the Future

Operationalizing Zero Trust for APIs: Pioneering Robust Cybersecurity Frameworks for the Future

Discover the future of cybersecurity with Traceable AI's groundbreaking API Security Reference Architecture and ZTAA solution. Understand how these innovative tools operationalize Zero Trust for APIs, ensuring robust protection in an era marked by increasing data breaches. Stay at the forefront of cybersecurity evolution with the industry's pioneering solutions.
Company
Releases

June 6, 2023

Generative AI and API Security: Innovate Safely by Protecting Data Now

Generative AI and API Security: Innovate Safely by Protecting Data Now

ChatGPT and other generative AI tools will transform business as we know it. However, enterprise teams need to move now to protect their sensitive data from being exposed, as it traverses APIs to answer user queries.
API-Security
Generative AI

May 17, 2023

The Double-edged Sword of Generative AI: Productivity Gain and Cybersecurity Risk

The Double-edged Sword of Generative AI: Productivity Gain and Cybersecurity Risk

API-Security
Generative AI

June 6, 2023

Intelligent Rate Limiting for API Abuse Prevention

Intelligent Rate Limiting for API Abuse Prevention

Enter Intelligent Rate Limiting - a more nuanced approach to securing your APIs. By leveraging AI and machine learning technologies, Intelligent Rate Limiting goes beyond merely counting requests. It observes and learns from patterns, understanding normal and abnormal request behavior, thereby distinguishing between legitimate traffic and potential threats.
News
Releases

April 27, 2023

Wiz + Traceable - Comprehensive API Security from Code to Cloud

Wiz + Traceable - Comprehensive API Security from Code to Cloud

Company
News
Releases

April 26, 2023

Traceable Introduces World’s First Zero Trust API Access (ZTAA) Solution

Traceable Introduces World’s First Zero Trust API Access (ZTAA) Solution

API-Security
Company
News
Releases

April 25, 2023

The Telecom Industry: Why APIs Are Becoming their Worst Nightmare

The Telecom Industry: Why APIs Are Becoming their Worst Nightmare

API-Security
Breach Analysis

March 28, 2023

How a Fintech Company achieved Context-Aware API Security to detect and block threats

How a Fintech Company achieved Context-Aware API Security to detect and block threats

API-Security

April 6, 2023

‘Dr. Zero Trust’ Chase Cunningham Joins Traceable as an Advisor

‘Dr. Zero Trust’ Chase Cunningham Joins Traceable as an Advisor

API-Security
Company
News

March 30, 2023

Cybersecurity Roundup for February 2023: T-Mobile Fallout, ChatGPT abuse, and Shopify's Hardcoded API Tokens

Cybersecurity Roundup for February 2023: T-Mobile Fallout, ChatGPT abuse, and Shopify's Hardcoded API Tokens

API-Security
Breach Analysis

March 2, 2023

FFIEC Compliance: The API Security Reckoning for Financial Institutions

FFIEC Compliance: The API Security Reckoning for Financial Institutions

API-Security

February 20, 2023

Zero Trust Pioneer John Kindervag Joins Traceable as an Advisor

Zero Trust Pioneer John Kindervag Joins Traceable as an Advisor

Company
News

March 14, 2023

Sensitive Data Exfiltration: The New Nemesis of API Security

Sensitive Data Exfiltration: The New Nemesis of API Security

API-Security
Foundations

February 14, 2023

Traceable Wins 2023 Devies Award for Best Innovation in API Security

Traceable Wins 2023 Devies Award for Best Innovation in API Security

API-Security
News

February 14, 2023

Traceable API Security Platform Update: End of 2022

Traceable API Security Platform Update: End of 2022

API-Security
Company
News
Releases

February 7, 2023

OWASP API Security Top 10 2023 RC Published

OWASP API Security Top 10 2023 RC Published

API-Security
News

February 14, 2023

Top Webinars of 2022: The Most Popular Sessions and Where to Find Them

Top Webinars of 2022: The Most Popular Sessions and Where to Find Them

API-Security

January 27, 2023

Webinar Recap: FFIEC Compliance and What It Means for API Security

Webinar Recap: FFIEC Compliance and What It Means for API Security

API-Security
News

January 27, 2023

Traceable Wins 2022 TMCnet Zero Trust Security Excellence Award

Traceable Wins 2022 TMCnet Zero Trust Security Excellence Award

Company
News

January 30, 2023

Cybersecurity Roundup for January 2023: API Attacks Front and Center

Cybersecurity Roundup for January 2023: API Attacks Front and Center

API-Security
Breach Analysis
News

January 31, 2023

T-Mobile's API Data Breach: The API Security Reckoning is Here

T-Mobile's API Data Breach: The API Security Reckoning is Here

API-Security
Breach Analysis

January 22, 2023

Why the Pentagon Needs to Factor in API Security to Establish a True Zero Trust Strategy

Why the Pentagon Needs to Factor in API Security to Establish a True Zero Trust Strategy

API-Security

January 12, 2023

A Modern Approach to API Governance: Challenges and Recommendations

A Modern Approach to API Governance: Challenges and Recommendations

API-Security
Foundations

January 10, 2023

How API Abuse Became the Top Vector for Data Breaches

How API Abuse Became the Top Vector for Data Breaches

API-Security
Breach Analysis
Foundations

January 18, 2023

The CircleCI Data Breach: The TLDR

The CircleCI Data Breach: The TLDR

API-Security

January 9, 2023

Shadow APIs: The New Form of Shadow IT

Shadow APIs: The New Form of Shadow IT

API-Security
Cloud Native

January 4, 2023

The HackerOne 2022 Report: Analysis and Insight on Modern Day Vulnerabilities

The HackerOne 2022 Report: Analysis and Insight on Modern Day Vulnerabilities

API-Security
Cloud Native
News

December 22, 2022

A Record Growth Year for Traceable: Milestones and Plans for 2023

A Record Growth Year for Traceable: Milestones and Plans for 2023

Company
News

December 21, 2022

How Jobvite Eliminated API Sprawl with Traceable’s API Security Platform

How Jobvite Eliminated API Sprawl with Traceable’s API Security Platform

API-Security
Cloud Native

December 19, 2022

Defense in Depth: A Guide to Layered Security

Defense in Depth: A Guide to Layered Security

This article will go over how defense in depth and layered security work as well as the benefits of using them.
API-Security
Cloud Native
Foundations
Technology

December 17, 2022

Top Data Breaches of 2022 and What they Mean for API Security

Top Data Breaches of 2022 and What they Mean for API Security

API-Security
Cloud Native
News

December 20, 2022

A Guide to Modernizing Legacy Applications

A Guide to Modernizing Legacy Applications

In today's post, we'll guide you through the modernization of your legacy application and determine if it's something you should implement.
Cloud Native
Foundations

December 17, 2022

NextRoll Gains 8x Visibility into APIs and Solves API Sprawl

NextRoll Gains 8x Visibility into APIs and Solves API Sprawl

API-Security
Cloud Native

December 1, 2022

Traceable Announces Commitment to Respecting Data by Becoming a 2023 Data Privacy Week Champion

Traceable Announces Commitment to Respecting Data by Becoming a 2023 Data Privacy Week Champion

API-Security
Company
Foundations
News

January 23, 2023

2023 Cybersecurity Predictions:API Security Q&A w/ Richard Bird

2023 Cybersecurity Predictions:API Security Q&A w/ Richard Bird

API-Security
Breach Analysis
News

December 7, 2022

How to Plan Your Cloud Security Architecture

How to Plan Your Cloud Security Architecture

In this post, you'll learn some essential tips and tricks about planning your cloud security architecture.
API-Security
Cloud Native
Foundations

December 6, 2022

The Business Case for API Security: Why API Security? Why Now?

The Business Case for API Security: Why API Security? Why Now?

API-Security
Breach Analysis
Foundations
Technology

December 2, 2022

Sensitive Data Leakage: Defined and Explained

Sensitive Data Leakage: Defined and Explained

API-Security
Cloud Native
Foundations

November 28, 2022

OWASP API Top 10 for Dummies: Part III

OWASP API Top 10 for Dummies: Part III

API-Security
Foundations

November 28, 2022

Cloud DLP: What It Is and Why It's Needed

Cloud DLP: What It Is and Why It's Needed

API-Security
Foundations

November 29, 2022

A Leader's Guide to Understanding and Preventing Bot Attacks

A Leader's Guide to Understanding and Preventing Bot Attacks

Many business leaders remain in the dark about the dangers of bot attacks. Let's learn about how they work, and tips for preventing them.
API-Security
Cloud Native
Foundations

November 12, 2022

Security Posture: A Leader's Guide to Evaluating and Improving It

Security Posture: A Leader's Guide to Evaluating and Improving It

Read on to discover what a security posture is and tips for strengthening your posture to prevent attacks from causing significant damage.
API-Security
Foundations

November 16, 2022

No Results Found

Compliance
API Inspector
API Security Ownership
Blog
Technology
PCI DSS Compliance
Observability
LLM
Foundations
Developer
API Sprawl
Fraud
Security Research
Breach Analysis
News
Generative AI
Company
Traceable ASPEN
State of API Security
Releases
App Security
API-Security
Cloud Native

ALBeast: a simple misconfiguration to a complete authentication bypass

The ALBeast vulnerability represents a critical security flaw in AWS Application Load Balancer (ALB) authentication implementation that could lead to complete authentication bypass. This vulnerability, affecting over 15,000 applications, stems from improper validation of AWS-specific header claims and misconfigured security groups, allowing attackers to forge authentication tokens and impersonate legitimate users. The issue highlights the importance of proper JWT validation and security group configuration in AWS ALB implementations.

December 19, 2024

Decoding ownCloud’s Vulnerabilities: The Hidden Flaws of API Trust

An in-depth analysis of three critical vulnerabilities discovered in ownCloud's API infrastructure, exposing risks in authentication, OAuth implementation, and file access controls. These security flaws highlight the importance of treating third-party APIs with enhanced scrutiny and implementing proper validation measures. Learn how these vulnerabilities were patched and what steps organizations should take to protect their systems.

November 5, 2024

JWTs Under the Microscope: How Attackers Exploit Authentication and Authorization Weaknesses

JSON Web Tokens (JWTs) offer stateless authentication in modern web applications, but improper implementation can expose critical vulnerabilities. This analysis explores attack vectors across JWT components, revealing how small oversights can lead to significant security breaches like privilege escalation and unauthorized access.

December 12, 2024

Another Milestone! Traceable Wins the 2023 Cybersecurity Breakthrough Award

Explore Traceable's award-winning API security, recognized by the 2023 CyberSecurity Breakthrough Award, and how ZTAA provides future-proof protection.

October 13, 2023

Recent Posts

ALBeast: a simple misconfiguration to a complete authentication bypass

December 19, 2024

JWTs Under the Microscope: How Attackers Exploit Authentication and Authorization Weaknesses

December 12, 2024

Decoding ownCloud’s Vulnerabilities: The Hidden Flaws of API Trust

November 5, 2024

Help, I'm Being Attacked: Why WAFs & Gateways Won't Stop the Next API Attack

October 24, 2024

Let’s Face It - Criminals are bypassing selfie verification in Know Your Customer processes

October 14, 2024

API Security: The Risk Threatening Australian Businesses

October 8, 2024

API Security

View All Blogs
arrow

The Authorization Maze

This article delves deep into the complexities of authorization in API security, exploring why implementing robust access controls is far more challenging than many engineers realize. Through real-world examples from companies like Airbnb and Uber, the author breaks down different types of authorization vulnerabilities (BOLA, BOPLA, BFLA) and explains the nuanced challenges of creating dynamic, context-aware access policies.

API Security: The Risk Threatening Australian Businesses

Explore API security ownership in modern Australian enterprises, key stakeholders, and how regulations like APRA and SOCI shape security practices and governance.

October 8, 2024

Why "Check-the-Box” Solutions Are Insufficient for API Security

Why “Check-the-Box” Solutions Are Insufficient for API Security

September 27, 2024

Organizing API Security Around the NIST Framework

Revolutionize your API security strategy with NIST Cybersecurity Framework 2.0. Enhance protection, detection, and incident response.

August 2, 2024

Traceable ASPEN

View All Blogs
arrow

ALBeast: a simple misconfiguration to a complete authentication bypass

The ALBeast vulnerability represents a critical security flaw in AWS Application Load Balancer (ALB) authentication implementation that could lead to complete authentication bypass. This vulnerability, affecting over 15,000 applications, stems from improper validation of AWS-specific header claims and misconfigured security groups, allowing attackers to forge authentication tokens and impersonate legitimate users. The issue highlights the importance of proper JWT validation and security group configuration in AWS ALB implementations.

December 19, 2024

ALBeast: a simple misconfiguration to a complete authentication bypass

The ALBeast vulnerability represents a critical security flaw in AWS Application Load Balancer (ALB) authentication implementation that could lead to complete authentication bypass. This vulnerability, affecting over 15,000 applications, stems from improper validation of AWS-specific header claims and misconfigured security groups, allowing attackers to forge authentication tokens and impersonate legitimate users. The issue highlights the importance of proper JWT validation and security group configuration in AWS ALB implementations.

December 19, 2024

JWTs Under the Microscope: How Attackers Exploit Authentication and Authorization Weaknesses

JSON Web Tokens (JWTs) offer stateless authentication in modern web applications, but improper implementation can expose critical vulnerabilities. This analysis explores attack vectors across JWT components, revealing how small oversights can lead to significant security breaches like privilege escalation and unauthorized access.

December 12, 2024

Decoding ownCloud’s Vulnerabilities: The Hidden Flaws of API Trust

An in-depth analysis of three critical vulnerabilities discovered in ownCloud's API infrastructure, exposing risks in authentication, OAuth implementation, and file access controls. These security flaws highlight the importance of treating third-party APIs with enhanced scrutiny and implementing proper validation measures. Learn how these vulnerabilities were patched and what steps organizations should take to protect their systems.

November 5, 2024

Product Updates

View All Blogs
arrow

December Software Release

December was an extremely busy month for Traceable as we worked with customers to protect their environments from the Log4Shell vulnerability.

February 15, 2022

Traceable Defense AI M8 Released

Easier deployment process, extended agent support, extended API Intelligence, easier to find problems, protection additions, improved UX around threat hunting, ability to isolate per environment

April 11, 2021

Manage your external attack surface with new Traceable Sonar

Traceable Sonar efficiently identifies and catalogs these assets, granting security teams a panoramic view of their external attack surface. But it doesn't stop at discovery. Sonar delves deep into these assets, pinpointing vulnerabilities an attacker might exploit. By mirroring the probing techniques attackers use, Traceable Sonar equips organizations with critical insights into potential security loopholes.

August 25, 2023

Traceable API Security Platform Updates - July 2023

The Traceable AI team has been busy adding new capabilities and enhancing existing ones to better meet your API Security needs. Here is a sampling of some of the additions in July 2023.

August 17, 2023

Introducing Traceable's Digital Fraud Prevention: A New Frontier in API Security

At Traceable, we continually push the boundaries of innovation. Today, we're thrilled to announce the latest development in our mission to provide robust security to businesses worldwide - the launch of our Digital Fraud Prevention capabilities.

August 2, 2023

OWASP API Security Top 10 List 2023 Refresh

June 8, 2023

The Inside Trace

Subscribe for expert insights on application security.

Thanks! Your subscription has been recorded.

or subscribe to our RSS Feed

WHY TRACEABLE
Why TraceableOur CustomersOur PartnersAbout TraceableIn the NewsRequest DemoCompare Traceable
PLATFORM
API DiscoveryAttack ProtectionAttack DetectionFraud and Bot SecurityAPI Testing
USE CASES
API DiscoveryShift Left SecuritySensitive Data ExfiltrationAccount TakeoverBot MitigationIncident ResponseData Privacy and Compliance
RESOURCES
OverviewRelated API Resources BlogWebinarsCustomer Peer ReviewsCase StudiesWhite PaperDatasheetsDocumentationCustomer Success & Support
COMPANY
Sign In CareersPressPress KitASPEN LabsCustomer SupportSecurity and ComplianceLegalPrivacy Policy

© 2024 Traceable Inc.

548 Market Street PMB 83903, San Francisco, CA 94104-5401