The Journey Continues

Exciting News: We’ve Merged Harness and Traceable To Create A New Leader In Secure Software Delivery

Harness and Traceable to merge to create a new leader in secure software delivery.

ALBeast: a simple misconfiguration to a complete authentication bypass

The ALBeast vulnerability represents a critical security flaw in AWS Application Load Balancer (ALB) authentication implementation that could lead to complete authentication bypass. This vulnerability, affecting over 15,000 applications, stems from improper validation of AWS-specific header claims and misconfigured security groups, allowing attackers to forge authentication tokens and impersonate legitimate users. The issue highlights the importance of proper JWT validation and security group configuration in AWS ALB implementations.

JWTs Under the Microscope: How Attackers Exploit Authentication and Authorization Weaknesses

JSON Web Tokens (JWTs) offer stateless authentication in modern web applications, but improper implementation can expose critical vulnerabilities. This analysis explores attack vectors across JWT components, revealing how small oversights can lead to significant security breaches like privilege escalation and unauthorized access.

Recent Posts

The Journey Continues

Exciting News: We’ve Merged Harness and Traceable To Create A New Leader In Secure Software Delivery

ALBeast: a simple misconfiguration to a complete authentication bypass

JWTs Under the Microscope: How Attackers Exploit Authentication and Authorization Weaknesses

Decoding ownCloud’s Vulnerabilities: The Hidden Flaws of API Trust

Help, I'm Being Attacked: Why WAFs & Gateways Won't Stop the Next API Attack

API Security

The Authorization Maze

This article delves deep into the complexities of authorization in API security, exploring why implementing robust access controls is far more challenging than many engineers realize. Through real-world examples from companies like Airbnb and Uber, the author breaks down different types of authorization vulnerabilities (BOLA, BOPLA, BFLA) and explains the nuanced challenges of creating dynamic, context-aware access policies.

Help, I'm Being Attacked: Why WAFs & Gateways Won't Stop the Next API Attack

Many organizations mistakenly believe that Web Application Firewalls (WAFs) or API gateways provide sufficient protection against API attacks. While these tools offer useful traffic management and basic security features, they fall short when it comes to defending against more sophisticated API threats. WAFs are designed for web applications, not the complex logic and workflows of APIs, leaving them vulnerable to business logic and shadow API attacks. Similarly, API gateways, while helpful for managing API traffic and authentication, often miss critical vulnerabilities. Understanding the limitations of WAFs and gateways is the first step in strengthening your API security strategy.

API Security: The Risk Threatening Australian Businesses

Explore API security ownership in modern Australian enterprises, key stakeholders, and how regulations like APRA and SOCI shape security practices and governance.

Why "Check-the-Box” Solutions Are Insufficient for API Security

Why “Check-the-Box” Solutions Are Insufficient for API Security

Organizing API Security Around the NIST Framework

Revolutionize your API security strategy with NIST Cybersecurity Framework 2.0. Enhance protection, detection, and incident response.

Traceable ASPEN

ALBeast: a simple misconfiguration to a complete authentication bypass

The ALBeast vulnerability represents a critical security flaw in AWS Application Load Balancer (ALB) authentication implementation that could lead to complete authentication bypass. This vulnerability, affecting over 15,000 applications, stems from improper validation of AWS-specific header claims and misconfigured security groups, allowing attackers to forge authentication tokens and impersonate legitimate users. The issue highlights the importance of proper JWT validation and security group configuration in AWS ALB implementations.

Decoding ownCloud’s Vulnerabilities: The Hidden Flaws of API Trust

An in-depth analysis of three critical vulnerabilities discovered in ownCloud's API infrastructure, exposing risks in authentication, OAuth implementation, and file access controls. These security flaws highlight the importance of treating third-party APIs with enhanced scrutiny and implementing proper validation measures. Learn how these vulnerabilities were patched and what steps organizations should take to protect their systems.

Service Now RCE - The Three Keys to ServiceNow's Data Vault

Discover critical ServiceNow vulnerabilities (CVE-2024-4879, 5178, 5217) enabling remote code execution. Learn their impact & how Traceable secures your APIs.

ALBeast: a simple misconfiguration to a complete authentication bypass

The ALBeast vulnerability represents a critical security flaw in AWS Application Load Balancer (ALB) authentication implementation that could lead to complete authentication bypass. This vulnerability, affecting over 15,000 applications, stems from improper validation of AWS-specific header claims and misconfigured security groups, allowing attackers to forge authentication tokens and impersonate legitimate users. The issue highlights the importance of proper JWT validation and security group configuration in AWS ALB implementations.

JWTs Under the Microscope: How Attackers Exploit Authentication and Authorization Weaknesses

JSON Web Tokens (JWTs) offer stateless authentication in modern web applications, but improper implementation can expose critical vulnerabilities. This analysis explores attack vectors across JWT components, revealing how small oversights can lead to significant security breaches like privilege escalation and unauthorized access.

Decoding ownCloud’s Vulnerabilities: The Hidden Flaws of API Trust

An in-depth analysis of three critical vulnerabilities discovered in ownCloud's API infrastructure, exposing risks in authentication, OAuth implementation, and file access controls. These security flaws highlight the importance of treating third-party APIs with enhanced scrutiny and implementing proper validation measures. Learn how these vulnerabilities were patched and what steps organizations should take to protect their systems.

Product Updates

Traceable API Security Platform Updates - June & July 2024

Discover major improvements: enhanced data classification, UX updates for API catalog, AST changes, and a new threat activity UI for better visibility and analysis.

December Software Release

December was an extremely busy month for Traceable as we worked with customers to protect their environments from the Log4Shell vulnerability.

Traceable API Security Platform Updates - May 2024

Traceable's May 2024 updates enhance API security with compliance policies, targeted testing filters, and improved detection of advanced threats.

March | Traceable AI Feature Release

Stay current with new developments from Traceable AI; including, local hosting for EU/Asia and support for agentless deployments.

February | Traceable AI Feature Release

Stay current with new developments from Traceable AI; including, new support for AWS Lambda serverless architecture and new privacy features for managing sensitive data.

Traceable Defense AI M8 Released

Easier deployment process, extended agent support, extended API Intelligence, easier to find problems, protection additions, improved UX around threat hunting, ability to isolate per environment