Suites

AST Suites provides a summarized view of vulnerabilities across a set of scans. The displayed suites are environment-specific, or you can view the suites for all the environments together. Using Suites, you can also create scans. Note that you must choose a specific environment to create a scan. The following screenshot shows the Suites dashboard.

In the above screenshot, All Environments is selected from the drop-down list. Hence, Quick Scan and Create Suite are greyed out. The Suites dashboard in the above screenshot shows three suites across all the environments. Following is a summary of information that is available from the dashboard:

• A total of four suites are displayed in the Suites dashboard.

• If you hover over a scan, as shown for Quickscan above, you can view the number of Low, Medium, High, and Critical vulnerabilities found in that scan.

• Except for Quickscan, all the suites are based on a scan policy. As you can see, the other three suites are attached to the allattackspolicy policy.

• A total of 1.59K scans were completed, 0 scans were scheduled, seven aborted scans were completed, and 0 scans are running.

XAST live, XAST replay, and DAST

As explained in the next section, the creation of a suite is based on the choice of traffic from XAST live, XAST replay, and DAST. This section explains what these are and the benefits of choosing one of them.

XAST live

XAST uses live traffic to secure your APIs without needing extra setup or authentication. XAST Live uses existing traffic from tests and applies innovative changes to simulate attacks, finding vulnerabilities in real-time. Following are a few benefits of using XAST live traffic:

• No extra configuration — You can utilize the existing test environments and authentication mechanism.

• Real-time testing — You can assess your API security against live traffic for immediate feedback.

• Actionable insights — Recieve specific, direct information to remediate potential threats quickly.

XAST replay

Traceable’s xAST Replay feature provides the distinct ability to replay historical traffic, including authentication data, for comprehensive vulnerability testing. This approach guarantees that previous traffic patterns are thoroughly examined and that historical data inform your API's security measures. Following are a few benefits of using XAST replay traffic:

• Historical Context — Employ historical data to conduct thorough vulnerability assessments, reducing reliance on current data availability and expanding coverage.

• Authentication Testing — To assess security, perform authentication testing using custom authentication methods and role-based access controls, including replay attacks.

• Precise Vulnerability Detection — Re-enact specific traffic scenarios to identify weaknesses and vulnerabilities in the system precisely.

DAST

Traceable's Dynamic Application Security Testing (DAST) Scan surpasses conventional DAST solutions by integrating API context and leveraging data-informed insights, enhancing detection capabilities. Following are a few benefits of using DAST scan:

• Advanced Detection — Leverage our contextually rich analysis to identify vulnerabilities accurately.

• Integration Readiness — Seamlessly integrate testing by utilizing OpenAPI specifications or Postman collections.

• Data-Driven Insights — Harness Traceable's data intelligence to improve the accuracy of vulnerability assessment results.

Create a suite

To create a new suite, select the Environment for which you wish to create a suite. Then click on Create Suite from your environment-specific suite page, as shown below.

Creating a suite consists of the following four steps:

1. Choosing a policy for the suite and giving other details like the type of traffic.

2. Choosing the assets (API endpoints) on which you wish to run the scan.

3. Setting up the schedule (optional) and a few other configurations.

4. Optionally adding an integration.

Step 1 — Provide details

As part of step 1 to create a Suite, provide the following details:

• Name — Provide a name that will help you identify the Suite. The name should not have any spaces.

• Policy — Select a policy from the drop-down list. A scan is related to an existing policy. Only when you run a Quick Scan you do not need a policy.

• Traffic type — Choose a traffic type from XAST live, DAST, or XAST replay.

  • XAST replay — The XAST replay scan is executed using stored APIs. This is possible for environments for which replay is enabled. For more information, see Environment Config.

  • DAST—You can run a DAST scan using the existing OpenAPI spec or upload a fresh OpenAPI spec. You can select one or more OpenAPI Specs. You can also upload a Postman collection to run a DAST scan.

  • XAST live —  Run the scan on live traffic.

• Environment — The environment for which you want to run the AST scans. Since Suite is environment-specific, this is preselected based on the environment you selected from the Environment drop-down. For example, the HighTechApp environment is specified in the above screenshot.

• Target URL—Configure this option to test a specific domain, such as mydomain.com. This is optional if you are using live traffic because  AST targets the domain to which the live traffic is going. It is mandatory if you have selected DAST.

Step 2 — Choose assets

In step 2, choose the assets you wish to run the scan on. You can choose from:

• All Endpoints 

• A set of Endpoints 

• Services

• Endpoint Labels — All Endpoints tagged with a specific label, such as critical, sensitive, external, etc.

• Filter endpoints—You can create your filter to choose the endpoints you want to scan. For example, you can select all external APIs, APIs with the GET method, APIs with sensitive data, etc. All the external APIs with the GET method will be scanned in the screenshot below.

Advanced configuration

The advanced configurations are optional. You can use regex expressions to include URL regex based on which Traceable filters the incoming traffic to be included. Similarly, the exclude URL regex is the regex based on which Traceable filters the incoming traffic to be excluded.

Authentication — You can also choose the authentication type. For more information on different authentication types, see Authentication.

Step 3 — Configurations

In step 3, add a schedule for your scan. Adding a schedule is optional. In addition to adding a schedule, you can configure the scan evaluation criteria and choose one from the following three default options. You can also create your custom criteria. The scan evaluation criteria decide on what criteria a scan would fail. This is based on the type of vulnerabilities found in the scan.

• Fail on any

• Fail on critical

• Fail on high and above

You can also set other configurations, such as idle time out, scan time out, delay between requests in milliseconds, and test execution threads.

Step 4 — Integrations

Step 4 is optional. You can currently integrate Snyk with the scans. For more information, see Snyk topic.

Suite details

Once you have created a suite, the scans run according to your configured schedule and frequency. The scan results are the vulnerabilities found and are displayed as a bar chart on the Suites dashboard (as shown in the first screenshot).

When you click on a Suite, it displays rich information about the vulnerabilities by severity and the type of vulnerability found in scans.

The Suites detail page has three tabs: Vulnerabilities, Scans, and Details.

Scans tab

The Scans tab lists all the scans that have run, run, or queued for the suite. You can click on any scan to view more information about each scan. The Scan tab shows the following information for each scan:

• Overview — Provides various details about the scan, such as the environment scanned, number of APIs scanned, traffic type, etc.

• API coverage — The API Coverage tab provides information under the following categories:

  • APIs scanned—This tab lists all the APIs scanned, the vulnerability found in each scanned API, the number of tests generated and executed for each API, and other high-level information about each API.

  • APIs not scanned—This tab gives you information about the APIs that were not scanned and the reason for them not being scanned.

  • API reachability—This tab lists all the APIs that are reachable, not reachable, or return an error.

• Tests — This tab lists all the tests that have been run across all the APIs. It also lists the vulnerabilities found across all the tests. You can filter these results based on API endpoint, where it shows all the tests run on an API, or based on a specific vulnerability to see in which APIs a specific vulnerability exists, etc.

• Logs — This tab lists the logs for the scan. You can download the log for further analysis. You can choose to display the first 500 lines of the log, the last 500 lines of the log, etc.

Details tab

The details tab provides a summary of the Suite. It gives basic information, such as the Suite name, policy name, the type of traffic, etc. It also gives you information about the assets, the kind of traffic, etc.

Delete a suite

You can delete a suite from the Details tab.