Happy New year from the Traceable team ! We would like to share some of the key product updates from the last two months !

Traceable Platform Agents and Tracing Agents are released asynchronously from the platform features and they can be found here.

API Catalog

API Ownership

API endpoints can now be assigned owners by creating custom attribute(s). API Owners can be very handy in identifying owners of APIs when a vulnerability or an issue arises. They can also be helpful in identifying ticket owners at the time of ticket creation. Owners can also be assigned at the service level and all the API endpoints belonging to that service will inherit that owner. Customers have started bringing ownership information for API endpoints by using Traceable’s GraphQL APIs to perform bulk update operations. View detailed documentation here

Ownership attributes can also be used for filter endpoints.

3rd Party APIs

Traceable now automatically identifies 3rd Party APIs (partner APIs) that are called from a customer’s environment including the sensitive data types that are shared with those partners . These can be seen by going to the 3rd Party APIs menu in the left navigation. More information can be found here

Automatic Auth Identification

Traceable automatically identifies authenticated APIs using well known authentication methods along with auth types. These can be useful in filtering down to those APIs that are using weak auth types.

API Protection

IP Type Based policies: API Security has a tight coupling with sources accessing critical API’s to identify access patterns based on access types. We had now added IP Type based policies which include -

1. BOT
2. Anonymous VPN
3. Hosting Provider
4. TOR Exit Node
5. Public Proxy

BOT’s are malicious BOTs which are known to have high abuse velocity and poor IP Reputation based on the behavior of these sources on other Web properties on the Internet leveraging our own detections and third party threat intel partners.

Disposable Email Domains: Account creation on Login API’s from malicious and/or disposable email domains has been a concern for several of our customers. We now provide an automated way to leverage our User Attribution to identify email domains from which such accesses are happening and allow alert or blocking of that API traffic. This helps in ensuring that fraudulent accounts from such fictitious sources can be prevented. 

Data Collection

API Security Testing

Scheduling Scan from Platform

You can now schedule and run AST scan from a platform itself. All you have to do is select policy, schedule and runner for a particular schedule. 

You also get a functionality to enable or disable a schedule as necessary. 

Snyk Integration

You can now correlate snyk vulnerabilities to active vulnerabilities found as a part of AST Scan. 

ZAP Integration

Already using ZAP scan in your pipeline and don’t want to end up using multiple scanners? AST Scanner now supports ZAP natively so you can run both AST and ZAP scans using the same scanner. 

Our team is happy and humbled to see you here!

announcement 

Happy New year from the Traceable team ! We would like to share some of the key product updates from the last two months !

Traceable Platform Agents and Tracing Agents are released asynchronously from the platform features and they can be found here. 

API Catalog

• Automatic authenticated API detection
• Automatic authentication type detection for well known auth types
• Improved UX for Data Classification
• 3rd Party API detection
• Improved user attribution rules

API Protection

Dynamic Thresholds in Rate limiting

In addition to the static thresholds Traceable now offers the ability to get alerts or block activity every time API access rates go over the mean access rate for that API aggregated over a user configurable baseline interval in days. This is combined with IP reputation and type of the source (BOT/TOR/VPN/Proxy etc) This allows our customers to have different thresholds for regular users versus automated BOTs and traffic coming from other sources to protect their API’s against volumetric attacks based on these different source criteria for the traffic hitting your API’s. 

Threat Intel Integration

BOT, TOR, Proxy, VPN data from Threat intel sources is now correlated with detections from Traceable to have a comprehensive understanding of API threats. Threat score of attackers detected by Traceable when combined with TOR or BOT information provides further accuracy of detections. Threat actor, threat activity and data protection screens leverage this data. 

Security Analytics

Ability to do security forensics based on BOT, TOR, Abuse velocity, IP reputation, ASN and connectivity type (Mobile, Residential, Corporate etc). This has helped numerous customers get to identifying malicious actors and fraudulent users in use cases ranging from sensitive data exfiltration to account creation and free credit abuse fraud at the API layer.

Data Collection

1.26.0 - 7th December

Traceable's 1.26.0 release has the following updates:

• Traceable platform service as headless service in Kubernetes - Traceable agent's 1.26.0 release provides the ability to run Traceable Platform service as a headless in Kubernetes. This is helpful in enabling GRPC client-side load balancing for Traceable's tracing agent. In 1.26.0 release, only the Go agent supports this client-side load balancing. 
• AWS VPC mirroring - 1.26.0 release provides a Terraform template for AWS VPC mirroring.
• Processing pipeline improvement - 1.26.0 optimizes Traceable agent's processing pipeline to improve performance of Tracing agent's span exporter.
• Attribution processor - 1.26.0 release adds a new user attribution processor to support regex-based capture and authentication types.
• Ability to specify Traceable images - 1.26.0 release provides you the ability to specify the Traceable images using their SHA256 digest in Helm and Terraform deployments.

1.25.1 - 16th November

Traceable's 1.25.1 release has the following updates:
1.25.1 resolves an issue where AWS VPC cloud formation templates were failing to create mirroring sessions when the number of target instances in the target group were more than 200.

1.25.0 - 10th November

Traceable's 1.25.0 release has the following updates:

• eBPF OpenShift SCC deployment - Traceable agent's 1.25.0 release supports deploying eBPF in an OpenShift SCC environment.
• eBPF egress data capture - Traceable agent's 1.25.0 release of eBPF agent supports capturing of egress data.
• Use of persistent queue - Traceable agent now uses a persistent queue for span export retries on a failure.
• Log rotation - Traceable agent installed on a virtual machine now supports log rotation.
• Hashicorp vault integration - Traceable agent's 1.25.0 release supports using the secret keys stored in a HashiCorp vault. You can achieve this using either Helm values or Terraform.
• Default environment - If during Traceable agent's configuration, you miss configuring an environment name, then an environment with a default name is configured.
• Exclude rule - Spans matching API exclude rules are now dropped in Traceable platform agent. This helps in reducing the resource usage as the matching API exclude rule spans are not processed by Traceable platform agent.

API Security Testing

Run AST scans using OpenAPI Specifications or Postman Collections

Traceable’s API Security Testing module now supports importing OpenAPI Specifications to run the security scan for your APIs. 

Users can also provide a postman collection via CLI and run AST scan using postman collection. 

Scan Policy

Team and use-case based scan policy creation and maintenance is now easy with AST Scan policy. An all new policies screen will help users manage their policies. 

OWASP API Top 10 Coverage

Traceable platform now covers complete OWASP API Top 10 and helps users to test their posture for OWASP API Top 10. 

Platform

Environment based Role based access control: As larger enterprises start onboarding users to Traceable they would like to provide access to users to specific environments only (eg API security testing users should have access to Dev and Staging while Infosec team needs to have access to prod environments). This can now be achieved by adding users to relevant environments or updating their access for existing users. 

Environment based configurations

Given API’s and corresponding micro services vary per environment the access control policies need to be enforced at an environment level. If customers have web facing REST API’s in a single environment in Kubernetes front ended by Apigee the policies will be different from the ones for partner API’s which could be in a different environment which is behind a F5. You can now apply policies per environment so there are no overlaps and no unintended consequences if the rules clash. 

Traceable Platform Agents and Tracing Agents are released asynchronously from the platform features and they can be found here. 

API Catalog

• We now detect the following security headers out of the box for all APIs:

  • HSTS - Secure HTTP transport
  • CSP - Content security policy
  • CORS - Cross-origin resource sharing

• ‘NOT’ Operator for API Endpoint filters
  
  

API Protection

• Data Protection - Live View 

  • All sensitive data types part of Traceable built-in Data classifiers or custom data classifiers accessed by users can be seen based on access patterns for the last one week. 
  • Geo map, IP, User based filtering for specific data sets
  • Unique sensitive data usage counters per type to help customers get indicators on data accessed/exfiltrated by users/bots etc

• Multi part Encoding support - Data capture and blocking based on 

multi-part content type. Following options are supported - 

• Multipart/form-data based on RFC1867

This content type is intended to allow information providers to express file upload requests uniformly, and to provide a MIME-compatible representation for file upload responses.

• Alerting on Security config change and User create/edit

Data Collection

Platform Agent - 1.24.0 - 26th September

Traceable's 1.24.0 release has the following updates:

• Multipart/form-data - Traceable agent's 1.24.0 release supports redaction and truncation of multipart/form-data.
• eBPF - Traceable agent's 1.24.0 release provides an install script for eBPF and Platform agent on a virtual machine. You can download the install script by navigating to install > traffic mirroring > linux > latest folder on Traceable's download site.
• Environment scoped blocking rules - With Traceable agent's 1.24.0 release, Platform agents receive blocking rules that are specific to that environment.
• XML body redaction - Traceable's 1.24.0 agent release supports redaction of XML bodies.

NGINX Agent - 0.1.72 - 26th September

Traceable's NGINX agent 0.1.72 release has the following updates:

• Support for new NGINX versions - Traceable's NGINX agent 0.1.72 supports NGINX's versions 1.21.5, 1.21.6, 1.22.0, 1.23.0, and 1.23.1.
• multipart/form-data support - Traceable's NGINX agent 0.1.72 supports multipart/form-data. Configure the capture_content_types directive in the traceableai block. Note that multipart/form-data support requires Traceable's Platform agent 1.24.0.

API Security Testing

• Jenkins Plugin is available now. Here’s the documentation to get started: Traceable AST CI/CD plugins 
• GitHub action is ready to use and released in GitHub marketplace: https://github.com/marketplace/actions/traceable-ast-action 
• DefectDojo Integration
• Delete scan option available now

• Mutations and assertions are available now: 
  
• Environment based redaction settings are available now: 
  

AuthN/ AuthZ coverage: JWT coverage is added. We now detect confusion attacks, token expiry and invalid signature. 

Platform

We added support for SAML group mapping to allow our customers the automated ability to map SAML group roles to Traceable roles

Traceable Platform Agents and Tracing Agents are released asynchronously from the platform features and they can be found here. 

API Catalog

API visibility is critical for both our DevOps and security user. New and updated API Catalog functionality enables broader Traceable  audience and introduces many  key new features.

• New license

  • Free license for unlimited API discovery,  including  API DNA

• Improved UX

  • Simplified search and filtering
  • Saved searches
  • Visualization of API activity

• Sensitive  data functionality

  • Sensitive  data insights and visualizations
• Conformance analysis and  identifying shadow  APIs
• Download of OpenAPI spec

Improvements  in API Protection

• Improved UX

  • Presenting malicious behaviors in actionable  groups, based  on OWASP risks, types, repeated anomalies, affected  APIs, and more
  • Visualizations and simplified searches
• Advanced detection of rate violations with fine-grain conditions, including specifically labeled API Endpoints, patterns in requests and response, multiple rules, aggregation across multiple users and more.

Data Collection

eBPF support

Support for capturing data with eBPF technology, which allows both North/ South and East/West APIs  without language  specific  application instrumentation

ARM architecture support (beta)

Support for API discover and application protection for the applications that run on ARM-powered clouds.

Apigee and Mulesoft support

Traceable  now supports low-impact instrumentation based on integration with popular gateways.

Traceable Platform Agents and Tracing Agents are released asynchronously from the platform features and they can be found here. 

Protection against Spring4Shell vulnerability Announcement 

Spring4shell sprung up towards the end of March. Customers running following software versions are likely impacted: 

• Running on JDK 9 or higher
• Apache Tomcat as the Servlet container.
• Packaged as a traditional WAR and deployed in a standalone Tomcat instance. Typical Spring Boot deployments using an embedded Servlet container or reactive web server are not impacted.
• spring-webmvc or spring-webflux dependency.
• Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions.

Traceable AI can protect your applications and API’s both at the Gateway layer with signature based approach and within the application with our Java agent which does not rely on signatures but on functional call sequence and malicious payloads detected within the agent.

CloudFlare Integration for Blocking Announcement 

Some of Traceable customers  rely on agentless deployment for a portion or even all of their environment. With this feature, we are able to provide proactive protection and block threat actors and malicious sources even when  in agentless mode.

The blocking is accomplished via integration with an external  CDN/WAF. The first integration made available is that with a popular CDN vendor, CloudFlare.

Adding a threat actor to a deny or suspend  list in Traceable will result in that actor being blocked at  the edge by an integrated CloudFlare instance.

Traceable  location and IP range blocking rules will operate in a similar fashion.

Changes in Attacker ScoringImprovement 

We got feedback from  Traceable  users that our previous scoring methodology was  too  aggressive for their high volume applications. To better align  with   our customers security workflow, we have  made changes to our approach to attacker  scoring as  follows:

1. If multiple malicious behaviors are observed  in a single request, only the  highest severity behavior  will add to the score
2. Reduction in  score contribution by similar events based on which parameter is being attacked, how many users have sent malicious payloads and exact values being sent.
3. Contribution of each event is displayed in attacker timeline

Apigee On-premisesAnnouncement 

Apigee is a platform for developing and managing APIs. By fronting services with a proxy layer, Apigee provides an abstraction for your backend service APIs and provides security, rate limiting, quotas, analytics, and more. Traceable supports Apigee private cloud v4.51.00 and above.

Multi Region SAAS SupportAnnouncement 

For compliance reasons like GDPR, data residency and cost concerns our SAAS platform will also be hosted in Europe and APAC from this release. Customers will have the option to choose which deployments need to be connecting to the SAAS platform

Platform Access Token ManagementFeature 

Platform access tokens will have similar functionality like API tokens we introduced in the January release which will allow for - 

1. Naming tokens for better traceability
2. Revoking them when no longer needed
3. Listing out all tokens with last access times

Traceable Platform Agents and Tracing Agents are released asynchronously from the platform features and they can be found here. 

Default DataSets for Compliance Announcement 

In this release, within Traceable AI sensitive datatypes are grouped into business and compliance specific DataSets for ease of management. For each of the DataSet, you can select to enable data classification based on it and whether to redact the corresponding values. 

You can also define new datatypes in addition to the datatypes predefined in the system. For user convenience, new sensitive datatype definition is available within the context of API Endpoint DNA.

Security Detection in Cookies Improvement 

To further detection accuracy, Traceable now is able to parse the structure of cookies embedded into requests and responses. Within each parameter of the cookies, Traceable AI executes the same detection for potentially malicious patterns as within the body and headers of the requests.

Custom Webhook Updates Improvement 

To allow for our custom webhooks to work with environments which require specific headers like AWS S3, GCP Cloud storage (GCS) Traceable AI will allow custom key value pairs to be added to the headers. 

Data Collection

Node.JS Support New 

Our Node.js language agent can be used to collect data from and block malicious requests coming into Node.js applications

AWS Lambda Support New 

With the increase in popularity of serverless architecture, security teams increasingly need to protect applications deployed on platforms like AWS lambda. With our new Traceable Python lambda agent, our customers can start collecting data for requests flowing through lambda functions written in Python.

HA Proxy Support New 

We have added data collection options for capturing data from HA Proxy when its deployed in either standalone mode (VM) or Ingress-controller (K8s)

NGINX Ingress Support New 

Traceable can now also collect data for NGINX ingress controller

Traceable Platform Agents and Tracing Agents are released asynchronously from the platform features and they can be found here. 

AWS Marketplace listing Feature Announcement 

Traceable AI is now available in the AWS marketplace for AWS users to make purchases directly or through private offers. We already have support for protecting your API’s running in different AWS services - Amazon Elastic Kubernetes Service (EKS), Elastic Container Service (ECS), or EC2 instances. For customers who are looking for agentless deployment options we also support  AWS Traffic Mirroring. 

Public API’s for Traceable Announcement 

Public API’s are now available for most functionality which is available via the Traceable UI.  

• GraphQL API’s for consistent, predictable API you can use across all of your clients
• Create your Protection policies, rate limiting, IP/Geo Blocking rules and more.
• Obtain the most relevant API’s based on threats, risk score, call volume and activity
• Obtain updates for attackers based on threat level, active and blocked security events and more

Label Management Feature 

API Endpoints and Services are important entities in API Security. Customers can now label these entities based on static attributes or dynamic attributes using Labeling rules which can match specific attributes from traces. Labels can be used to solve important use cases like - 

• Find all API Endpoints and Services in your deployment which are impacted by Log4Shell Vulnerability 
• Label all API endpoints and/or services which are running in an AWS VPC or Kubernetes cluster
• Label all external API endpoints which are carrying PCI, PII or other sensitive data. 

Jira Integration Feature 

Infosec and Product Security engineers who use Traceable need to indicate to developers which API’s are vulnerable, have an increased risk due to new security events which showed up in pre-production or production deployments. With the introduction of of Jira Integration, tickets can be created based on findings in - 

• Security Events page including details on Threat actor, specific URI, service/endpoint etc where threat event was seen 
• Vulnerabilities page including vulnerability type, total API’s impacted by it, mitigation details etc

Vulnerability Management Improvement 

Traceable users who are taking advantage of Traceable Vulnerability detection and management will appreciate improvements in this area introduced this months.

First, two additional vulnerability types are now detected including Lack of Encryption and Incorrect Security Headers vulnerabilities.

Second, the vulnerability product area has been made much more actionable.

The users now can focus specifically on the vulnerabilities on external APIs. Summary charts are provided. Further, vulnerabilities are grouped by service, so that it is easy to use the direct Jira integration feature to assign remediation to the team, which owns the service.

Trace Explorer Flexible Search Improvement 

Traces view now supports flexible searching including regular expressions and ‘~’ operator which searches for a substring within a larger field of a Trace.

This functionality will help with advanced configuration tasks such as session identification configuration as well as with root cause analysis on detected security issues. 

Data Collection Feature 

Agentless data collection is now also supported via

• Pod level mirroring
• Daemonset (Node) mirroring

Revamped Documentation Improvement 

We’ve also improved our documentation in a significant way by following an information architecture that is closer to the mental model of our customers. Users can now find and get to the content they are looking for much faster.

December was a busy month as we were working with customers on protecting their environments from the Log4Shell vulnerability, here is our quick start guide and a webinar which explains about the vulnerability and our approach in detail.

Traceable Platform Agents and Tracing Agents are released asynchronously from the platform features and they can be found here. 

Log4Shell aggressive defense - Improvement

Log4Shell is one of the most impactful vulnerabilities we have seen in recent times. 

In addition to existing Java attack detection, Traceable can help protect your applications from being exploited by Log4Shell with comprehensive coverage 

• Added signatures for newly discovered CVEs from the Log4Shell family
• Added JNDI Lookup blocking in the Java In-app agent

Attack dashboard - Improvement

We have updated the attack dashboard to help security engineer assess the attack climate of the cloud-native environment at a glance. 

The new dashboard includes a summary of the application activity with unique users and traffic, graph of attackers and attack requests, the list of most detected and most blocked security event types and more.

API Endpoint Details dashboard - Improvement

We have streamlined API Endpoint details view to bring forward the API intelligence and make security summary more accessible. 

The new view summarizes  security events and vulnerabilities detected for a given API Endpoint, gives  a view of sensitive data types found in the requests and responses and bring the OpenAPI specification to the summary page.

HA Proxy - Announcement

HAProxy is a free and open source software that provides a high availability load balancer and proxy server for TCP and HTTP-based applications that spreads requests across multiple servers, which has a reputation for being efficient with regards to memory and CPU usage. 

Our customers who use HAProxy as a load balancer or a reverse proxy in their infrastructure can now deploy Traceable tracing agents as a plug-in into HA Proxy.

API Catalog, static and dynamic detection, signature-based blocking, rate limiting, IP blocking and other features will be supported with this tracing agent.
HAProxy support is available with the Tracing Agent version 1.11.3 or above.

SOC 2 Type 2 Compliance - Announcement

Traceable has received SOC 2 Type 2 certification. This certification shows that Traceable, though a young company, pays significant attention to the security, availability and privacy of our customer and their data. This is why our many customer entrust Traceable to protect their application. This certification will also help our prospective customers to save time and resources by relying on this independent certification instead of analyzing bespoke security surveys.

By the way of a background SOC 2 Type 2 report is an internal controls report capturing how a company safeguards customer data and how well those controls are operating. Companies that use cloud service providers use SOC 2 reports to assess and address the risks associated with third party technology services. 

 webinar

Hello there,

A few updates from Traceable, we have been working away at introducing new features and improvements based on our customer asks. Thank you for supporting us and providing candid feedback, keep it coming !!

Traceable Platform Agents and Tracing Agents are released asynchronously from the platform features and they can be found here. 

🎉Risk Scoring Customization ANNOUNCEMENT 

• In this release, we are making risk customizable on a customer by customer basis. Each of contributing factors in Likelihood and Impact is explicitly listed including the metrics that are assessed to evaluate the factor. The contribution of the factor to the overall API Endpoint Risk score as well as the lookup table for the matches between the numeric score and the stated risk level are customizable as well. API Endpoint granularity for risk can be achieved by labelling the API Endpoints as Critical, Sentry or other.

🎉Cookie parsing IMPROVEMENT 

• In this release, we add parsing each cookie into key-value pair in addition to previously available parsing of the API Endpoint query, headers and body for requests and responses

🎉New Custom Rules IMPROVEMENT 

• IP range blocking rules can now be configured easier. Two additional options are ‘Never block’ and ‘Block all except’. This will help easily exclude internal IPs and Pentesters from being blocked and simplify the workflows. 
• Geo-location blocking is now available. Customers can specify the regions that should not be allowed to use the protected applications. This blocking can be configured by explicitly listing disallowed regions or by exception.

🎉Self Pay Option Announcement 

• Team trial or free tier users can upgrade to Team tier 
• Monthly and Annual plans available
• Increase/Decrease endpoints and calls over time based on antiquated usage.

🎉RBAC Update with Security Analyst Role Improvement 

• Security Analyst look for security events and threats in APIs and applications. They are typically part of the Security operations centre (SOC) teams or part of product security teams and need to be aware of any security events as soon as they occur. 
• Security analyst role added to complement the Account Owner, Security Admin, Developer roles already present in Traceable. 

🎉More options for data collection Announcement 

• We’ve extended the breadth of data collection by adding support for mirroring in AWS. This is an agentless solution that mirrors traffic from supported AWS targets. More details are available here
• Newly released Python tracing agent supports auto-instrumentation and blocking. Data can be collected from Python applications without changing source code. 

🎉UserID based BOLA Improvement  

• Additional type of an authorization bypass is now detected based on a mismatch in the UserIDs. This is another example of session based anomaly which can only be detected by context-aware solutions like Traceable, but not by legacy WAFs.

Hello there ! A quick announcement on a new feature in our Fall 1 release. 

Traceable Platform Agents and Tracing Agents are released asynchronously from the platform features and they can be found here. 

🎉RBAC - Feature 

Three new roles in the product for your API Security use cases

Account owner - Manages Traceable account - Adding/Deleting regular users, assigning privileges, product tiers, licensing, and so on.

Security administrator - Typically InfoSec/Product security admins who configures the security policies, investigates the attacks, keeps track of security events, and so on.

Developer - Devs in the engineering org who want to view and understand the risks associated with the APIs that s/he has developed. 

Why it matters: Different personas within the organization use Traceable for different reasons so it is important relevant folks have access to the relevant portions of the product. This is basic RBAC, more on this later :)