Happy New year from the Traceable team ! We would like to share some of the key product updates from the last two months !
Traceable Platform Agents and Tracing Agents are released asynchronously from the platform features and they can be found here.
API Catalog
API Ownership
API endpoints can now be assigned owners by creating custom attribute(s). API Owners can be very handy in identifying owners of APIs when a vulnerability or an issue arises. They can also be helpful in identifying ticket owners at the time of ticket creation. Owners can also be assigned at the service level and all the API endpoints belonging to that service will inherit that owner. Customers have started bringing ownership information for API endpoints by using Traceable’s GraphQL APIs to perform bulk update operations. View detailed documentation here
Ownership attributes can also be used for filter endpoints.
3rd Party APIs
Traceable now automatically identifies 3rd Party APIs (partner APIs) that are called from a customer’s environment including the sensitive data types that are shared with those partners . These can be seen by going to the 3rd Party APIs menu in the left navigation. More information can be found here
Automatic Auth Identification
Traceable automatically identifies authenticated APIs using well known authentication methods along with auth types. These can be useful in filtering down to those APIs that are using weak auth types.
API Protection
IP Type Based policies: API Security has a tight coupling with sources accessing critical API’s to identify access patterns based on access types. We had now added IP Type based policies which include -
- BOT
- Anonymous VPN
- Hosting Provider
- TOR Exit Node
- Public Proxy
BOT’s are malicious BOTs which are known to have high abuse velocity and poor IP Reputation based on the behavior of these sources on other Web properties on the Internet leveraging our own detections and third party threat intel partners.
Disposable Email Domains: Account creation on Login API’s from malicious and/or disposable email domains has been a concern for several of our customers. We now provide an automated way to leverage our User Attribution to identify email domains from which such accesses are happening and allow alert or blocking of that API traffic. This helps in ensuring that fraudulent accounts from such fictitious sources can be prevented.
Data Collection
API Security Testing
Scheduling Scan from Platform
You can now schedule and run AST scan from a platform itself. All you have to do is select policy, schedule and runner for a particular schedule.
You also get a functionality to enable or disable a schedule as necessary.
Snyk Integration
You can now correlate snyk vulnerabilities to active vulnerabilities found as a part of AST Scan.
ZAP Integration
Already using ZAP scan in your pipeline and don’t want to end up using multiple scanners? AST Scanner now supports ZAP natively so you can run both AST and ZAP scans using the same scanner.