Suites
  • 13 Jun 2024
  • 10 Minutes to read
  • PDF

Suites

  • PDF

Article summary

A Suite is a combination of a group of scans with common configurations of policy and schedule. They help group similar scans together in an environment. As the scans are executed several times, suites help organize the related scans together. While creating a suite, you can configure several scan properties such as type, scope, authentication, etc. The subsequent scans are executed using these configurations.

The API Security Suites page provides a summarized view of vulnerabilities across a set of scans. The displayed suites are environment-specific, or you can view the suites for all the environments together. Using Suites, you can also create scans. Note that you must choose a specific environment to create a scan. The following screenshot shows the Suites dashboard.

traceable_ast_suites_introduction(3)
Suites


In the above screenshot, All Environments is selected from the drop-down list. Hence, Quick Scan and Create Suite are greyed out. The Suites dashboard in the above screenshot shows three suites across all the environments. Following is a summary of information that is available from the dashboard:

  • A total of four suites are displayed in the Suites dashboard.

  • If you hover over a scan, as shown for Quick Scan above, you can view the number of Low, Medium, High, and Critical vulnerabilities found in that scan.

  • Except for Quick Scan, all the suites are based on a scan policy. The other three suites are attached to the allattackspolicy policy.

  • A total of 1.59K scans were completed, 0 scans were scheduled, 7 aborted scans were completed, and 0 scans are running.


XAST live, XAST replay, and DAST

As explained in the next section, the creation of a suite is based on the choice of traffic from XAST live, XAST replay, and DAST. This section explains what these are and the benefits of choosing one of them.

XAST live

XAST uses live traffic to secure your APIs without needing extra setup or authentication. XAST Live uses existing traffic from tests and applies innovative changes to simulate attacks, finding vulnerabilities in real time. Following are a few benefits of using XAST live traffic:

  • No extra configuration — You can utilize the existing test environments and authentication mechanism.

  • Real-time testing — You can assess your API security against live traffic for immediate feedback.

  • Actionable insights — Receive specific, direct information to remediate potential threats quickly.

XAST replay

Traceable’s xAST Replay feature provides the distinct ability to replay historical traffic, including authentication data, for comprehensive vulnerability testing. This approach guarantees that previous traffic patterns are thoroughly examined and that historical data inform your API's security measures. Following are a few benefits of using XAST replay traffic:

  • Historical Context — Employ historical data to conduct thorough vulnerability assessments, reducing reliance on current data availability and expanding coverage.

  • Authentication Testing — To assess security, perform authentication testing using custom authentication methods and role-based access controls, including replay attacks.

  • Precise Vulnerability Detection — Re-enact specific traffic scenarios to identify weaknesses and vulnerabilities in the system precisely.

DAST

Traceable's Dynamic Application Security Testing (DAST) Scan surpasses conventional DAST solutions by integrating API context and leveraging data-informed insights, enhancing detection capabilities. Following are a few benefits of using DAST scan:

  • Advanced Detection — Leverage our contextually rich analysis to identify vulnerabilities accurately.

  • Integration Readiness — Seamlessly integrate testing by utilizing OpenAPI specifications or Postman collections.

  • Data-Driven Insights — Harness Traceable's data intelligence to improve the accuracy of vulnerability assessment results.

The below table lists down the comparison between XAST live, DAST, and XAST replay traffic types:

XAST Live

DAST

XAST Replay

It uses live traffic in real-time to run the scan.

It generates traffic based on examples provided in the specifications.

It uses live and past traffic to run the scan.

It uses Traceable generated specifications for accuracy and coverage per API.

It uses the API specification you provide, for accuracy and coverage per API.

It uses Traceable generated specifications for accuracy and coverage per API.

It runs context-sensitive targeted tests using real-time monitoring and analysis approach.

It runs simulated attacks on applications using the black-box testing approach.

It runs context-sensitive targeted tests using the historical traffic analysis and replay approach.

It does not scan if no traffic is present in an API.

It scans all APIs irrespective of traffic.

It scans selected APIs/assets if there is any traffic in past.

It has the most penetration power due to context relevance from real traffic.

When Postman collection-based, it has the same penetration power as XAST Live. When Open API-based, it has least penetration power if the examples provided are invalid.

It has lesser penetration power than XAST live but more than DAST as some data may have lost relevance with time.

It has lesser coverage than XAST replay but more than DAST as it uses live traffic.

It has the least coverage because of its black-box nature.

It has the most coverage as it uses both live and historical traffic.

It does not require separate authentication hook setup.

It requires authentication hook setup.

It may or may not require authentication hook setup.


Create a suite

To create a new suite, select the Environment for which you wish to create a suite. Then, click on Create Suite from your environment-specific suite page, as shown below.

traceable_ast_suites_create_suite



Creating a suite consists of the following four steps:

  1. Choosing a policy for the Suite and giving other details like the type of traffic.

  2. Choosing the assets (API endpoints) on which you wish to run the scan.

  3. Setting up the schedule (optional) and a few other configurations.

  4. Optionally adding an integration.

Step 1 — Provide details

As part of step 1 to create a Suite, provide the following details:

  • Name — Provide a name that will help you identify the Suite. The name should not have any spaces.

  • Policy — Select a policy from the drop-down list. A scan is related to an existing policy. Only when you run a Quick Scan, you do not need a policy.

  • Traffic type — Choose a traffic type from XAST live, DAST, or XAST replay.

    • XAST replay — The XAST replay scan is executed using stored APIs. This is possible in environments with replay enabled. For more information, see Environment Config.

    • DAST — You can run a DAST scan using the existing OpenAPI spec or upload a fresh OpenAPI spec. You can select one or more OpenAPI Specs. You can also upload a Postman collection or use a GraphQL schema to run a DAST scan. Traceable also provides the GraphQL public API that allows you to create a suite for GraphQL schemas. For more information, see Create a suite using the GraphQL public API.

      Note

      DAST does not require you to instrument an app, however, you must choose an environment for the DAST scan to create the default service and list the APIs under it. By default, the service name is traceable-oas-processor.

    • XAST live — Run the scan on live traffic.

  • Environment — The environment for which you want to run the AST scans. Since Suite is environment-specific, this is preselected based on the environment you selected from the Environment drop-down. For example, the HighTechApp environment is specified in the above screenshot.

  • Target URL—Configure this option to test a specific domain, such as mydomain.com. This is optional if you are using live traffic because AST targets the domain to which the live traffic is going. It is mandatory if you have selected DAST.

traceable_ast_suites_create_suite_steps
Create Suite

Step 2 — Choose assets

In step 2, choose the assets you wish to run the scan on. You can choose from:

  • All Endpoints 

  • A set of Endpoints 

  • Services

  • Endpoint Labels — All Endpoints are tagged with a specific label, such as critical, sensitive, external, etc.

  • Filter endpoints — You can create your filter to choose the endpoints you want to scan. For example, you can select all external APIs, APIs with the GET method, APIs with sensitive data, etc.

Select Assets

Advanced configuration

The advanced configurations are optional. You can use regex expressions to include URL regex based on which Traceable filters the incoming traffic to be included. Similarly, the exclude URL regex is a type of regex based on which Traceable filters the incoming traffic to be excluded.

Include Traffic Matching Following Conditions

You can specify conditions according to your requirements based on which Traceable filters the incoming traffic and runs scan on it. This is useful when you are receiving excessive traffic and want to run scans on its subset.

Note

You can filter traffic only for XAST live and XAST replay traffic types.

To include traffic according to certain conditions, you can click on Add Condition and:

  • Select the Location on which you want to apply the filter.

  • Select and specify the parameters under Attribute Key.

  • Select and specify the parameters under Attribute Value.

Similarly, you can add multiple conditions to filter traffic. However, the API traffic must fulfil all the conditions for Traceable to run scans on it.

Authentication

You can also choose the authentication type. For more information on different authentication types, see Authentication.

Step 3 — Configurations

In step 3, add a schedule for your scan. Adding a schedule is optional. In addition to adding a schedule, you can configure the scan evaluation criteria and choose one from the following three default options. You can also create your custom criteria. The scan evaluation criteria decide on what criteria a scan would fail. This is based on the type of vulnerabilities found in the scan.

  • Fail on any

  • Fail on critical

  • Fail on high and above

You can also set other configurations, such as idle time out, scan time out, delay between requests in milliseconds, and test execution threads.

Schedule Scan

Step 4 — Integrations

Step 4 is optional. You can currently integrate Snyk with the scans. For more information, see Snyk topic.


Suite details

Once you have created a suite, the scans run according to your configured schedule and frequency. The scan results are the vulnerabilities found and are displayed as a bar chart on the Suites dashboard (as shown in the first screenshot).

When you click on a Suite, it displays rich information about the vulnerabilities by severity and the type of vulnerability found in scans.

teaceable_ast_suites_suite_details(2)


The Suites detail page has three tabs: Vulnerabilities, Scans, and Details.

Scans tab

The Scans tab lists all the scans that have run, or queued for the Suite. You can click on any scan to view more information about each scan. The Scan tab shows the following information for each scan:

  • Overview — Provides various details about the scan, such as the environment scanned, number of APIs scanned, traffic type, etc.

  • API coverage — The API Coverage tab provides information under the following categories:

    • APIs scanned — This tab lists all the APIs scanned, the vulnerability found in each scanned API, the number of tests generated and executed for each API, and other high-level information about each API.

    • APIs not scanned — This tab provides information about the APIs that were not scanned and the reason for them not being scanned.

    • API reachability — This tab lists all the APIs that are reachable, not reachable, or return an error.

  • Tests — This tab lists all the tests that have been run across all the APIs. It also lists the vulnerabilities found across all the tests. You can filter these results based on API endpoint, which shows all the tests run on an API, or based on a specific vulnerability to see in which APIs a specific vulnerability exists, etc.

  • Logs — This tab lists the scan logs. You can down load the log for further analysis. You can choose to display the first 500 lines of the log, the last 500 lines of the log, etc.

While the above details are present for each scan, traces are not shown in the following scenarios:

  • APIs not instrumented — If a scan is run against APIs that are not instrumented by any of the Traceable’s tracing agents, then traces are not found for the scan results. This mostly occurs in DAST scans that are run using specifications like Open API Spec, Postman Collection, or GraphQL Schema. However, if the DAST scan internally uses replay data, then traces are found.

  • APIs are instrumented but devoid of live traffic — If the API under test is instrumented but has not seen any live traffic with an error-free response code, then Traceable does not show that API in the API Catalog. When scans are run against such APIs and if the AST attack test request receives only error response codes, Traceable does not register these APIs. This is because API Catalog only registers an API upon seeing an error-free response code. Therefore, traces are not found in such APIs.

  • Error in generating or sending request — If Traceable CLI encounters an error while creating an while creating an attack request or fails to send it due to some reason, the test results in an error and traces are not found for that API.

  • Passive and TLS test — AST has passive plugins that do not send any attack request to APIs under test but check the original request for any vulnerabilities. Similarly, TLS tests are connected to the host or domain and not the API. In both scenarios, traces are not found.

  • Tests older than one week — Traceable, by default has a trace retention period of one week. So, if the test is older than a week, traces are not found for it.

Details tab

The details tab provides a summary of the Suite. It gives basic information, such as the Suite name, policy name, the type of traffic, etc. It also gives you information about the assets, the kind of traffic, etc.

Delete a suite

You can delete a suite from the Details tab.

Note

A suite once deleted, cannot be restored.

traceable_ast_suite_details(1)


Was this article helpful?

ESC

Eddy, a generative AI, facilitating knowledge discovery through conversational intelligence