Jyoti Bansal
Sanjay Nagaraj
Today, we are beyond excited to bring Traceable out of stealth mode and to give the company it’s official “Hello World!” moment! The talented team at Traceable welcomes you to join in the celebration.
We founded Traceable as part of BIG Labs about 18 months ago with the goal of building a world-class company, team, and product all dedicated to protecting modern, cloud-native applications from both known and yet-to-emerge security threats. There is a lot packed into that last sentence, so let’s dig in a little deeper and explain what Traceable is and why we founded the company.
Emergence of cloud-native architectures and API-centric attacks
When we were at AppDynamics, we witnessed first hand the massive adoption of what is now known as cloud-native application architectures taking place across organizations of all sizes. The migration from monolithic applications to microservice architectures was underway and it became clear that application security was a top concern for these organizations. And rightfully so. The move from a 3-tier architecture to microservices made the applications more distributed and API centric and exposed internal business logic. The APIs and protocols also evolved from proprietary to standardized protocols, like REST, GraphQL, GRPC, and with flexible data structures in JSON and YAML allowing for frequent evolution. Hackers, always the opportunists, saw the gap and took advantage. New category of API-centric attacks emerged and became so dangerous that the OWASP API project was born to help educate security professionals about these new threats.
At Traceable, we studied these new attack types, we came to understand that most are impossible to detect and prevent without understanding how an application is intended to work. Hackers use purposely exposed APIs to mimic business logic in order to execute their attacks unnoticed. To detect and prevent these attacks you need to first understand normal user behavior and application logic and then be able to identify in real-time when a user and the code’s business intent is deviating from the norm. For example, a recent bug with object authorization in Facebook Creator studio allowed users to add random (including somebody else's!) images as “Poster Art” to their projects. Deleting the project summarily deleted added images. So potentially you could lose all of your favorite family snapshots and you may not have even been subscribed to the Facebook Creator service. While that’s just one simple example, it highlights the essence of what Traceable does. We learn how an application is intended to work, detect when users are attempting to deviate from the normal application flow, and prevent them from doing so. And we can do this for applications with thousands of microservices and APIs, deployed in containers in the public cloud managed by Kubernetes.
How Traceable works
You’re probably wondering… ‘OK, that’s pretty amazing but how does Traceable do it?’ We’re glad you asked. We won’t get into all of the details here since you can learn more on our website and register for our overview webinar, but it all starts with distributed tracing. Traceable agents, deployed inside your application, API gateways, and Kubernetes clusters, automatically collect all the necessary data to paint a full, end-to-end picture of a user’s application activity. This data is then analyzed by TraceAI machine learning to understand normal application behavior and to identify deviations from the norm. With trace data and the TraceAI analysis, we give you the ability to:
APIs and code being the primary attack vector, we strongly believe that developers need to play an active role in application security. Whether you’ve bought into the DevSecOps movement yet or not, one thing is clear: developers and security engineers need to work together to secure applications and to respond to threats when they occur. Traceable facilitates this coordinated effort in securing and protecting applications by providing security, development, and DevOps professionals with critical data and insights related to their domain of expertise. The Traceable platform brings these often disparate teams together to respond to threats and fix vulnerabilities at least 10x faster. Security engineers will have full and accurate visibility into application topology, data flow, and even API specifications. And developers won’t get random log files thrown over the fence anymore. Instead, a highly coordinated, cross-functional team armed with Traceable will ensure your applications, APIs, and data are secure and protected from the threats of today and tomorrow.
Hypertrace - open-source distributed tracing
We are also announcing today that the underlying distributed tracing and observability technology we built at Traceable that powers the Traceable platform has been released as an open source project, dubbed Hypertrace. With Hypertrace, developers get a free and open source distributed tracing and observability platform that collects distributed traces, stores, aggregates, and enriches observability data, and provides observability into your application architecture. It includes global, service and backend dashboards, allowing teams fast insight into service level objectives. Visit hypertrace.org to learn more about Hypertrace, join the community, start contributing to the project, and of course deploy the project in your environment to start tracing your microservices. Learn more about Hypertrace on the project website.
Our journey ahead
We are proud of the amazingly talented people who are part of the team. This entire team looks forward to the months and years ahead as we continue to build the world’s most comprehensive application security platform. Today, we are emerging from stealth with $20M of Series-A funding, but our journey is just starting. We hope you will join us on this journey and let us secure your apps!
Jyoti & Sanjay
Recommended reads.
An introduction to anomaly detection in the context of distributed tracing.
An introduction to anomaly detection in the context of distributed tracing.
