Fintech Company discovered and secured 10,000+ Unknown API Endpoints with Traceable

Download Case Study
INDUSTRY
FinTech
REGION
North America
Head of Product Security FinTech

Executive Summary

The company needed to solve for the business risk associated with an expanded attack surface, created by their cloud-native, distributed and API-based applications. The Product Security team was painfully aware that limited visibility into their APIs, and potentially undiscovered and unsecured APIs, could provide opportunities for hackers to attack their system and access sensitive data.

With these concerns top of mind, the company made adoption of an API Security platform a top priority.

Traceable brings the state of the API Security field forward more than anything else I’ve seen. Traceable is the gold standard for companies looking for an API security platform, I wish that I had this years ago.

Case Study Highlights

Company

This FinTech company develops and delivers financial services for digital assets.

Challenge
  • Severe API Sprawl, and resulting inability to fully assess attack surface risk.
  • Limited visibility into APIs, including those newly developed or updated, shadow APIs, etc.
  • Limited ability for the SOC to distinguish between normal and malicious API traffic.
  • Current legacy Appsec and Intelligent WAF solutions are not able to see potentially malicious API traffic, therefore leaving the Company vulnerable to attack.
API Security with Traceable
  • 10x reduction in attack surface risk
  • Discovered/secured 10K+ unknown API endpoints.
  • 5x faster MTTR
  • 20K API vulnerabilities detected/resolved.

Before Traceable

API sprawl: Loss of Control in a Distributed Ecosystem

Like many companies now facing heightened risk created by the drastic increase in APIs, this Fintech Product Security team was suffering under extremely manual, makeshift methods to inventory known and unknown APIs, and provide a single source of truth for all stakeholders. Facing increased limitations due to a lack of visibility into the insights from the data collected by their Security Operations Center (SOC), the Product Security team were unable to glean much useful information related to API usage or data flow.

Limited visibility = Unknown Attack Surface and Unknown Risk

Without the visibility into their actual APIs, and the data flowing through them, the team lacked insights into their endpoints. Known, unknown, and shadow APIs remained elusive – possessing logs of every http request passing through their systems satisfied the need to collect the data and remain compliant, but left them with little ability to digest that information in a meaningful way. With such a wealth of data, they were unable to determine unexpected APIs, much less what data flowed through such.

Limited intel: unable to address API security incidents

The product security team faced obstacles when accessing SOC data, resulting in limited visibility and difficulties finding what they needed. Unable to rely on regular insights, they resorted to manual methods and struggled to manage API security. Their approach involved reviewing API code, searching for log statements, and utilizing tools like Splunk. Our champion describes that “this very manual review was just making sure our logging requirements were met everywhere.”

Insufficient tools for API discovery and protection

Our champion noted that the existing web application firewall (WAF) provided limited visibility and required advanced Splunk skills to interpret the data. Contrast Security focused more on runtime agent integration rather than full API security. Despite previous experience with Signal Sciences, it was considered too similar to a traditional WAF. Competing tools lacked comprehensive logging functionality, offering only sampled analysis. The absence of accurate sampling rates hindered the security team’s ability to assess blocked traffic and understand data flow through APIs.

What they actually log for your later reference is sampled. There is no way to later know what was blocked or passed through these tools.

Life After Deploying Traceable for Comprehensive API Security

The team selected Traceable as their API Security Platform because the solution offers comprehensive protection across the entire API lifecycle.

“With Traceable, we have a much more comfortable stance on what we review in the early design stages, and what actually runs on our systems in production later. Whereas, with some other tools, it feels like you’d have to constantly be looking for differences to pop up and it’s just not as built in of a functionality.”

Traceable offered the full API visibility, without the limitations related to SOC team-only access.

“Now, not only do we have this kind of API visibility in general with Traceable, but we also understand what the traffic actually looks like from a behavior standpoint. Whether that’s good behavior, bad behavior, some gray area in between, the data feels more democratized. It’s also open and therefore other teams can also use it,” said our champion.

Traceable also provided in-depth API discovery into their API endpoints and activity, while providing the underlying information Gingelski’s team needed to ensure risk management. This greatly enhanced their ability to manage their security posture.

Having such insights and the ability to accurately prioritize threats and blocking, they no longer feel they are unable to secure their APIs and data flows. “Before Traceable, things just felt very ad hoc and disparate. Whereas now, it is more unified and provides that safety net. I sleep better at night knowing that,” explained our champion.

With Traceable, it feels more like a safety net. Even if something passes our human review and we missed something, we still have visibility from Traceable to essentially every HTTP request, response, and knowledge of the internal traffic of how our APIs are functioning.

API Conformance Analysis Helps Distinguish Fact from Fiction

The Head of Product Security sees huge value in utilizing Traceable’s API conformance analysis capabilities.

The open API conformance analysis and what we’ve reviewed earlier in the development lifecycle is what actually goes out and is running. We’re reviewing basically to some extent all the code that goes out on the exchange.

By using features such as this through Traceable, the Product Security team knows that what runs in their environments is secure and accurately monitored.

Data Collection Methods Allow for In-depth Actionable Intelligence

One of the biggest pains for this FinTech company was the overwhelming amount of data that required manual parsing. This has now stopped with Traceable. The Product Security team is able to easily understand and interpret information provided through the Traceable dashboard.

According to our champion, “Without Traceable, it takes a minimum of 5x longer to parse through the data available. With Traceable, it’s pretty much drag and drop to a large extent and filter down to what you’re interested in.”

Now, not only does his team have the general API discovery with Traceable, but also instant access to all relevant data for their security teams.

Traceable democratizes that data to our broader security organization. And knowing that what we’re looking at in Traceable is a complete picture is no small thing, it’s very inspiring.