Issues

Issues are security gaps in your API definition that threat actors may exploit to attack your API infrastructure. The issue-management life cycle process helps identify and remediate security risks before threat actors can exploit them. The life cycle includes being aware of all the assets in your organization, carrying out an issue scan, assessing the risks, and taking action to mitigate those risks. Traceable’s API Security Testing (AST) can help you with an issue scan.

Traceable identifies assets or the API endpoints and services in your environment through the discovery process. After Traceable discovers the API endpoints, it does an issue scan on APIs and the associated services and displays them in the Issues section.

Based on the issues identified, you can carry out a risk assessment of the API endpoint. Traceable also provides possible remediation. Once you have applied the remediation, verify that your API is secure. Traceable continuously monitors the API endpoints that you have remediated and secured. It reports an issue if it finds any in the future; hence, continuous monitoring is essential.

Issue Summary

The Issues page displays a summary of issues for both External and Internal APIs. The integrated issues pages display issues found during run time protection, API security testing (AST), or detected by a compliance policy. These three different issue groups are categorized based on source:

• Live Traffic

• AST

• Compliance

The Issues dashboard provides the following information:

Issues

The issues section shows:

• The total number of issues across APIs since you created your account with Traceable. For example, in the above screenshot, the total number of issues is 1.11K.

Status

The status section shows:

• The total number of open issues since you created your account with Traceable.

• The number of resolved, under review, fixed, and accepted risk issues.

Severity

The severity is categorized as critical, high, medium, and low.

Issue details

To view the details of each issue, click on it, as shown in the screenshot below. In the table, you can also view the number of API endpoints associated with each type of issue. These issues are specific to an environment; alternatively, you can view them for all environments, as shown below. For example, in the screenshot below, the Lack of Encryption issue is found in 15 API endpoints.

The issues table, shown below, displays the source of the issue, CVSS score, severity, whether the issue belongs to any OWASP API Top 10 category, and when it was last seen.

The issue detail page provides many details about the issue. To view the details about a specific issue, click on the issue. The details page, as shown below, displays when the issue was first found and how recently it was seen again. The page also displays all the APIs in which the issue was found.

You can also view the description, the method to mitigate this issue and the impact that the issue may have on your system. The page also provides the attack methodology that the attacker may use to exploit the issueEvidence

Traceable gathers evidence for each issue that it has seen in your environment. You can view this evidence when you click on the API endpoint. These evidences are from the last 24 hours. You can view the detailed span for each piece of evidence.

Types of Issues

Traceable, based on its continuous learning, detects the following types of issues:

You can view the description and mitigation for each issue in the Issues UI.

Issue Status

You can manually change the state of the detected issue to any of the following:

• Open — Traceable has detected an issue.

• Under review — The issue has been acknowledged. You are taking steps to close it.

• Fixed — The issue has been closed. Traceable keeps monitoring the asset (API endpoint or service) even after you have marked it as fixed. If Traceable finds new issues, it automatically moves them to an Open state for you to review and resolve. 

• Not an issue — Move the issue to a Not a Issue state when you do not want Traceable to report it. If Traceable keeps seeing this category of issue, it does not move it to an open state.

• Accepted risk — You can move the issue to this state when you understand and accept the impact.\

Issue Deletion

You can delete detected issues from the Issue Summary section by changing their status to Fixed or Not an issue. Traceable also deletes issues if they are deleted from all Sources. For example, let us say an issue has Live Traffic and AST as the Source. Then, Traceable deletes the issue when it is deleted from both Sources.