- 18 Mar 2024
- 4 Minutes to read
- PDF
Issues
- Updated on 18 Mar 2024
- 4 Minutes to read
- PDF
Vulnerabilities are security gaps in your API definition that threat actors may exploit to attack your API infrastructure. The vulnerability-management life cycle process helps identify and remediate security risks before threat actors can exploit them. The life cycle includes being aware of all the assets in your organization, carrying out a vulnerability scan, assessing the risks, and taking action to mitigate those risks. Traceable’s API Security Testing (AST) can help you with a vulnerability scan.
Traceable identifies assets or the API endpoints and services in your environment through the discovery process. After Traceable discovers the API endpoints, it does a vulnerability scan on APIs and the associated services and displays them in the Vulnerability section.
Vulnerability-management life cycle
Based on the vulnerabilities identified, you can carry out a risk assessment of the API endpoint. Traceable also provides possible remediation. Once you have applied the remediation, verify that your API is secure. Traceable continuously monitors the API endpoints that you have remediated and secured. It reports a vulnerability if it finds any in the future; hence, continuous monitoring is essential.
Vulnerability summary
The Vulnerability page displays a summary of vulnerabilities for both External and Internal APIs. The integrated vulnerabilities pages display vulnerabilities during run time protection and API security testing (AST). These two different vulnerability groups are categorized based on source:
Live Traffic
AST
The Vulnerabilities dashboard provides the following information:
Vulnerabilities
The vulnerabilities section shows:
The total number of vulnerabilities across APIs since you created your account with Traceable. For example, in the above screenshot, the total number of vulnerabilities is 2.77K.
Status
The status section shows:
The total number of open vulnerabilities since you created your account with Traceable.
The number of resolved, under review, fixed, and accepted risk vulnerabilities.
Severity
The severity is categorized as critical, high, medium, and low.
Vulnerability details
To view the details of each vulnerability, click on it, as shown in the screenshot below. In the table, you can also view the number of API endpoints associated with each type of vulnerability. These vulnerabilities are specific to an environment; alternatively, you can view them for all environments, as shown below. For example, in the screenshot below, the Query Param Contains Sensitive Data vulnerability is found in 430 API endpoints.
The vulnerabilities table, shown below, displays the source of the vulnerability, CVSS score, severity, whether the vulnerability belongs to any OWASP API Top 10 category, and when it was last seen.
The vulnerability detail page provides many details about the vulnerability. To view the details about a specific vulnerability, click on the vulnerability. The details page, as shown below, displays when the vulnerability was first found and how recently it was seen again. The page also displays all the APIs in which the vulnerability was found.
You can also view the description, the method to mitigate this vulnerability and the impact that the vulnerability may have on your system. The page also provides the attack methodology that the attacker may use to exploit the vulnerability.
Evidence
Traceable gathers evidence for each vulnerability that it has seen in your environment. You can view this evidence when you click on the API endpoint. These evidences are from the last 24 hours. You can view the detailed span for each piece of evidence.
Types of vulnerabilities
Traceable, based on its continuous learning, detects the following types of vulnerabilities:
Category | Vulnerability Type |
---|---|
Insecure Design |
|
Remote Code Execution |
|
Security Headers |
|
Authentication |
|
SQL Injection |
|
Data Exposure |
|
JSON Web Token (JWT) |
|
Improper asset management |
|
Business logic |
|
Security misconfiguration |
|
Access control |
|
TLS |
|
Authorization |
|
Cross-site scripting |
|
Server-side request forgery |
|
You can view the description and mitigation for each vulnerability in the vulnerability UI.
Vulnerability status
You can manually change the state of the detected vulnerability to any of the following:
Open — Traceable has detected a vulnerability.
Under review — Vulnerability has been acknowledged. You are taking steps to close the vulnerability.
Fixed — The vulnerability has been closed. Traceable keeps monitoring the asset (API endpoint or service) even after you have marked it as fixed. If Traceable finds new vulnerabilities, it automatically moves them to an Open state for you to review and resolve.
Not a vulnerability — Move the vulnerability to Not a vulnerability state when you do not want Traceable to report it. If Traceable keeps seeing this category of vulnerability, it does not move it to an open state.
Accepted risk — You can move the vulnerability to this state when you understand the impact and accept the risk.