Compliance Policies

Compliance Policies help you to identify API endpoints that violate your organization’s security policies. You can use these compliance policies to identify violations apart from the standard vulnerabilities that Traceable identifies. Traceable provides you with certain predefined policies that you can use to identify violations. However, you can also define custom policies to identify these violations based on various attributes, such as the environment the API is present in, its vulnerability type, and data sensitivity. You can also enable or disable these policies according to your requirements.

The compliance policies are separated into the following categories:

• Traceable — This category lists the out-of-the-box compliance policies by Traceable. These policies help identify some of the most common violations across API endpoints. For more information on these policies, see Traceable and PCI DSS Compliance Policies.

• PCI DSS — This category lists the compliance policies that Traceable creates to identify PCI DSS data across API endpoints. For more information on these policies, see Traceable and PCI DSS Compliance Policies.

• Custom — This category lists the compliance policies you create using various attributes according to your requirements. For more information on these policies, see Custom Policies.

You can access the Compliance Policies page through API Catalog → Settings → Compliance Policies. While the compliance policies page lists the policies, the identified violations are listed in API Catalog → Issues. On the Issues page, you can view the details about the violations and the API endpoints in which they were identified. For more information on how to navigate through these violations, see Issues.

Note

The compliance policies only help in identifying violations across discovered API endpoints. Based on the details about these violations, you can also choose to create custom policies under API Protection. These policies help protect your APIs according to the settings you configure. For more information on how to create these policies, see Custom policy.

Traceable and PCI DSS Compliance Policies

Traceable, by default, provides you with some policies on the Compliance Policies page. On this page, under the Traceable and PCI DSS tabs, you can hover over the File () icon corresponding to policies’ names to view their descriptions.

Traceable recommends enabling these policies to help identify some of the most common violations and PCI DSS data across API endpoints. Each policy has a severity associated with it, based on which you can enable or disable it according to your requirements. To do so, click the toggle under the Status column corresponding to the policy you wish to enable or disable. For every policy, you can also choose the environment in which you wish to enable it. For example, in the above screenshot, the Shadow API endpoint policy is enabled only for the Fintech_app environment. By default, all policies are enabled for All Environments. To edit the environment where you wish to enable the policy, click the Ellipse icon → Edit corresponding to a policy. In the Edit page, Environment drop-down list, select the environment(s) in which you wish to enable the policy.

Note

For the Unused endpoint policy, in addition to selecting the environment(s), you can also specify the traffic inactivity threshold duration. Based on this duration, Traceable determines whether an API should be flagged for compliance vulnerability. If the API has not received traffic within the specified duration, it is flagged for compliance vulnerability, and vice-versa.

Traceable also allows you to filter policies to view the ones you wish to view:

• Severity — This lists the policies based on the severity Traceable has assigned to them.

• Status — This lists the policies based on whether they are enabled or disabled.

Custom Policies

You can create your custom policies by selecting various attributes according to your requirements. Traceable uses these policies, identifies their corresponding violations, and lists them on the Issues page for you to take action.

Note

Each custom policy should have a unique name.

To create a custom policy, complete the following steps:

1. Log in to the Traceable platform and navigate to API Catalog → Compliance Policies.

2. On the page’s top right corner, click on + Custom Policy.

3. In the Name step, complete the following:
   

   

   1. Specify the Policy Name. For example, API endpoint contains critical data.
      Traceable uses this policy name as the Issue Name on the Issues page.

   2. (Optional) Specify a Description for the policy.

   3. From the Category drop-down list, select the category to which the detected violation should belong or specify a category name and click on Create new Category “<Category Name>”. For example, Production.

   4. Select the severity from the Severity drop-down list to assign to the policy, for example, High.

   5. Click on Next.

4. In the Criteria step, complete the following:
   

   

   1. From the Environment drop-down list, select the environment on which you wish to check the violations. By default, Traceable selects All Environments.

   2. In the API Attribute section, click API Attribute + and select the attribute according to your requirements. For example, Endpoint Name is equal to (=) GET /userinfo/json.

   3. In the Vulnerabilities section, click Vulnerability Attribute + and select the attribute according to your requirements. For example, Vulnerability Status is (IN) either Open or Under review.

   4. In the Data Classification section, complete the following according to your requirements:

      1. Click on Datatypes + and select the attributes according to your requirements. For example, Request & Response of the API endpoint contains either (Contains any of) the Credit Card PIN, username, and password data types.

      2. Click on Datasets + and select the attributes according to your requirements. For example, Response of the API endpoint does not contain either (Contains any of) the Generic Personal Info or PII UK data sets.

      3. Click on Data Sensitivity + and select the attributes according to your requirements. For example, the Request data of an API endpoint is highly (High) sensitive.

   5. Click on Next.

5. Review the attributes and settings you configured above in the Review/Save step. If you want to make any changes to the settings, click on the Edit icon in the top right corner of the Criteria section or click Back to navigate to the step where you want to make a change. Else, click on Submit.
   

   

The custom policy is visible under the Custom tab of the Compliance Policies page. You can perform the steps above to create multiple policies. You can Enable or Disable these policies on this page according to your requirements. To do so, click the toggle under the STATUS column corresponding to the policy you want to enable or disable.

Note

Custom policies may take up to 24 hours to generate Issues post-creation.

You can also perform the following actions on the policies by clicking on the Ellipse () icon corresponding to a policy:

• View a policy to identify the attributes that Traceable uses to identify violations.

• Edit a policy to add or remove any attributes according to your requirements.

• Clone and edit a policy to add or remove any attributes according to your requirements.

• Delete a policy.

  Note

  A deleted policy cannot be restored.

Traceable also allows you to filter policies to view the ones you want:

• Category — This lists the policies based on the category assigned to them.

• Severity — This lists the policies based on the severity assigned to them.

• Status — This lists the policies based on whether they are enabled or disabled.