The Issues page serves as your central command center for monitoring API risks that Traceable has identified using the security testing scans. If you are responsible for the organization’s API security and want to view issues identified via AST scans, you log into Traceable and head over to the Testing → Issues page. This page serves as a hub where all potential vulnerabilities and risky patterns are identified through scans.
Issues
What will you Learn in this Topic?
By the end of this topic, you will understand:
What Issues are, and how Traceable detects and displays them.
The key components such as:
Visual charts for severity and status trends
Issue listings with column-level information
Grouping and Filtering options to organize and prioritize issues effectively
If you already have an understanding of these components and want to learn how you can drill down and manage an issue, see Issue Management.
What are Issues and how does Traceable Identify Them?
Issues are security gaps in your API definition that threat actors may exploit to attack your API infrastructure. Traceable identifies assets or API endpoints and services in your environment through the discovery process in Catalog. Once identified, you can set up AST scans, and based on the policy you select, Traceable detects issues and shows them on the Issues page. For information on setting up a scan and policy, see Creating a Scan and Policies, respectively.
Note
Traceable does not scan APIs for issues while they are in the learning phase.
How is the Issues Page Helpful?
The Issues page provides a streamlined and intuitive experience to help you view issues, understand them in depth, conduct a risk assessment, and resolve them quickly. Even when you resolve an issue, Traceable continuously monitors the API endpoints as part of the scan. For more information, see Journey of an Issue.
Whether you are a security engineer, developer, or DevOps lead, Traceable gives you the visibility and control to secure your APIs effectively.
Understanding Issues
The Issues page is a centralized hub for visualizing all vulnerabilities detected in External and Internal APIs tested as part of the AST scans. It provides a comprehensive overview of open issues, including their severity and key details such as the last time they were seen. This dashboard provides a clear snapshot of the system’s security risks identified during API Security Testing, helping you investigate and prioritize their resolution efficiently. To view the Issues page, navigate to Testing → Issues.
For information on how to drill down into an issue, manage its status, remediate it, and the rules around resolution and deletion, see Issue Management.
Issue Severity
Traceable categorizes detected issues based on their criticality and impact on your application ecosystem. The following are the categories in descending order of severity:
Critical
High
Medium
Low
Key Components
The page contains key components that help you quickly assess and understand issues. Below are the main elements of the page and their significance:
Issues Key Components
Visual Insights
At the top of the page, Traceable shows the following charts:
Chart | Description |
|---|---|
Issues by Severity | Shows the count of issues by severity (Severity Breakdown). You can click on the severity to filter the results based on your selection. |
Issues by Status | Shows a trend of the open and resolved issues over the past 30 days. |
Collectively, the above charts provide an overview of your application’s security health and trends, based on which you can take the necessary actions.
Issue Listings
Each entry on the page represents a unique issue, when grouped by Issue Name (default), with each column providing the following details. If you wish to drill down into an issue and manage it individually according to your requirements, see Navigating the Issues Flow.
Column | Description |
|---|---|
Issue Name | Specifies the name of the issue, for example, Broken Object Level Authorization. This name is used across the Traceable platform for identification purposes. |
Endpoint | Specifies the API or system endpoint, for example, |
Severity | Each issue is categorized by color-coded labels, for example, Low, Medium, High, and Critical, allowing you to gauge its impact and urgency. This is helpful as it provides a way to prioritize issue resolution based on risk, focusing on high-severity issues that may require immediate attention, while lower-severity issues can be addressed as part of routine maintenance. |
Source | Displays information about the origin of the issue, here AST. |
OWASP API Top 10 | Specifies the mapping to the OWASP API Top 10 security risks. This helps you understand and prioritize issues based on their global recognition. |
Last Seen | Specifies the most recent occurrence of the issue. This helps you determine whether the issue is still active, has reappeared, or is no longer a threat. |
Status | Displays the current status of the issue. This serves as a communication medium to indicate whether or not an issue requires prioritization. For more information on the available statuses, see Issue Management. |
Integrations | Displays the Jira icon. This helps you track an issue by creating a Jira ticket directly from the Traceable platform.
|
Actions | Enables you to re-test the issue. Upon clicking, Traceable shows a pop-up window where you can run a scan using the terminal or the platform. |
Grouping, Filtering, and Additional Options
While Traceable groups the issues on the page based on their name, you can filter and group issues based on several criteria:
Group By
Category | Description |
|---|---|
Issue Name | Groups issues based on the specific issue. This helps you understand how widespread an issue is across environments and focus on resolving the most recurring issues. |
Category | Groups issues based on broader classifications such as Authentication, Authorization, or JSON Web Token. This helps you analyze the issues from a broader level, as to which issues are most common across the system. |
OWASP API Top 10 | Groups issues based on their mapping in OWASP API Top 10 categories. This helps you align your analysis based on the recognized industry standards. |
API Endpoints | Groups issues based on the endpoints in which they were detected. This helps you analyze the risk exposure for endpoints and prioritize resolution based on them. |
Owner | Groups issues based on the assigned owner of the API. This helps you direct these issues to the right individual or team for faster and effective resolution. For more information on ownership and its assignment, see API Ownership. |
Label | Groups issues based on the labels assigned to APIs. This helps you assess and prioritize issues by business function, risk, or internal tagging conventions. |
Domain | Groups issues based on the domain of the API where the issue was detected. This helps you assess and prioritize issues by the application area or team affected. |
To group the issues using either of the above criteria, use the Group by drop-down, as shown in the image above.
Filters
The filters help you narrow down the issues based on options such as status, severity, source, timestamp, or sensitivity, allowing you to analyze them more effectively. To filter the issues based on your requirements, use the Filter (
) icon, as shown in the image above. Post-application, you can also save the filter for later use. The saved filters are visible under the Filter icon → Saved tab.
For information on managing issues based on the above groups and filters, see Issue Management.
Additional Options
Apart from the above options, Traceable also provides the following features on the page:
Search bar — Locate an issue by typing its name.
Visualization toggle — Show or hide the visual insight section on the page.
Download icon — Download the issue listings on the page for offline analysis.