How Traceable’s API Catalog Increased Visibility 8x for Nextroll

Life at NextRoll Before Traceable

Unknown API Catalog and Attack Surface

API sprawl and an unknown, vulnerable attack surface causes major concerns for the Product Security Team at NextRoll. Aside from adhering to compliance standards, Valcárcel recognized a problem requiring remediation as part of their drive to better understand their APIs.

The lack of visibility into their APIs made it hard for the Product Security team at NextRoll to manage their large data sets in a way that would scale with the ever-changing industry regulations. Their concern became how to remain compliant in protecting their APIs and the end-users’ data without slowing down their data processing.

Rampant API Usage within Microservice Architecture

The frequency of changes to APIs began to create serious difficulties in understanding risk posture, and without an accurate API inventory, it’s even harder to prevent data exfiltration and attacks. “We have a very big microservice architecture: We’re processing petabytes of data a day on internet traffic related to people’s preferences. And some of those microservices or even pipelines do not have a data store. They just go through an API that collects data, processes it, and outputs it to another API,” said Valcárcel.

Outdated security practices leave them blind

Traditional WAFs are inadequate for securing APIs. With the rise of API usage, data control is necessary both inside and outside the network. Valcárcel emphasized the need for sensors outside the perimeter to protect data flowing through APIs. Database monitoring is inaccurate and manual systems design leads to mistakes and misleading information. Manual data cataloging is insufficient and unreliable.

According to Valcárcel, “Manual data cataloging is never enough, it’s never accurate.”

Point solutions didn’t solve for API data privacy

In their search, Valcárcel and the NextRoll team acknowledged multiple players offering partial solutions that addressed certain aspects of industry regulations but failed to provide a scalable, comprehensive solution that could address both current and anticipated regulatory concerns.

Despite NextRoll having their deployment in the AWS cloud, the team did not consider the AWS WAF solution, knowing they needed more. Similarly, they opted out of using Signal Sciences, Salt, and NoName. “These solutions did not offer a data privacy component.”

Life After Deploying the Traceable platform

Traceable offered the privacy and API Security component that was closest to what we were looking for. In fact, Traceable was able to develop that aspect of the product further by integrating our feedback. It has since been even more developed.

Traceable also eliminated the need for 3 separate security tools, saving money and minimizing context switching for their team. According to Valcárcel, “Before Traceable, we would have needed at least three tools: the WAF, runtime application security, and the data scanner.”

Traceable validated their belief that their data passing through APIs needed to be closely monitored. Said Valcárcel, “Traceable confirmed our suspicions. We knew there were data privacy concerns that we had not uncovered using traditional methods, but without Traceable cataloging our APIs, I was not able to prove it. It was more like a hunch.” Valcárcel confirmed that Traceable was not only able to confirm his suspicions, but also able to provide a full picture of his API attack surface. “Once we got access to the Traceable API, I was able to build up a full data map of where data was flowing and which endpoints were getting what information. So, after some scripting, I was able to get a very clear picture.”

The depth of visibility helped both the security and development teams understand what needs to be addressed and to not only provide a fix, but also to secure their APIs going forward.

API Catalog facilitates faster Incident Response

With Traceable, NextRoll drastically improved their mean time to resolve (MTTR) bugs. Said Valcárcel, “We have a bug bounty program, and it will identify bugs and their URLs paths, and it directs us to various applications to take action. This presented the problem of understanding how to follow that URL path and how to direct the engineering team to a fix. The usual process involves looking into the configuration to determine which microservice serves that path and using that to troubleshoot.” Such a complex process of trial and error takes time.

With Traceable, their mean time to triage has been reduced from one day to less than one hour, and they are able to find and resolve security issues before bug hunters do. “With Traceable, because I have an agent in that microservice already, now I can see the URL path and what it serves much faster. Traceable helped us identify ownership on different incidents at a much faster rate. With Traceable I have the agents, I can tie URLs to microservice.”

Visibility of APIs went from 10% at best to now close to 80%, a massive improvement based on the limitations of our high-volume data intake and performance-sensitive systems.

Traceable platform eliminates point solutions

Traceable eliminated the need for point solutions, in turn removing the pain of context switching for his team, and saving NextRoll both time and money. “We are using Traceable to replace our need for WAF, runtime application security, and data scanners,” said Valcárcel, “We are replacing Signal Sciences with Traceable at the end of August, 2022.”

The security team at NextRoll plans to implement greater focus on Traceable’s expanding API catalog offering, focusing particularly around data privacy and protecting sensitive data.

I think that the thing I love the most about Traceable is the Traceable team. We have very open communication, they are super open to bouncing ideas, hearing feedback, and moving the product in a direction that actually works for us.