A newly available web application and API protection product led the ranks of products compared by SecureIQLab in comparative tests.
Traceable by Harness, which merged with its sister DevSecOps company Harness.io in January, released its web application and API protection (WAAP) offering April 24. The Traceable Cloud WAAP product adds a web application firewall (WAF), bot mitigation and distributed denial-of-service (DDoS) protection to Traceable's existing API security tools.
One early adopter of Traceable Cloud WAAP said it stood out from competitors in API security and WAAP because of its approach to AI-driven behavioral analysis of data from API calls, user sessions and network traffic flows.
This behavioral model is only effective if you can understand the data over a fairly long period and understand what normal looks like.
Kris JacksonDirector of cybersecurity engineering and operations, BOK Financial
"This behavioral model is only effective if you can understand the data over a fairly long period and understand what normal looks like," said Kris Jackson, senior vice president and director of cybersecurity engineering and operations at BOK Financial, a financial services firm in Tulsa, Okla.
"I'm able to follow a session through what could be an hour or two of behavior and understand the journey through that entire [process]," Jackson said. "The other API security vendors in this space do time windowing of about five minutes, so if an event takes more than five minutes to materialize into something suspicious, they don't have that context window."
Traceable tops WAAP tests
This approach also won when Traceable Cloud WAAP was among 11 vendors tested this year by SecureIQLab. This was the fourth annual test by the independent lab, which subjected applications and APIs protected by the products to more than 1,360 types of attacks. The attacks were based on industry frameworks such as the OWASP Top 104, MITRE ATT&CK and Lockheed Martin Cyber Kill Chain.
Traceable Cloud WAAP was compared with similar products from Akamai, AWS, Barracuda, Checkpoint, Cloudflare, Fortinet, Imperva, Microsoft, Prophaze and Ubika. SecureIQLab scored the WAAP tools by security efficacy and operational ease of use, and gave each an overall security score. Complete Security Scores averaged 74.5% this year, down 11% from 2024, but Traceable scored highest, at 99.3%. This was partly due to its strength in API Security, but it was also the only vendor tested that scored a perfect 100% for the effectiveness of its WAF against the OWASP Top 10 Web Application Security Risks.
Traceable Cloud WAAP also scored a perfect 100%, along with Akamai, for advanced threat coverage tests that assessed products against bot and Layer 7 DDoS Attacks and rated the resiliency and vulnerability of the WAAP tools themselves. It scored slightly lower than Fortinet, which topped the list at 96.2% in operational efficiency. Traceable tied Imperva in this category, which assessed factors such as ease of use, auditing and logging capabilities, with a score of 95.7%. Imperva and Akamai also edged out Traceable with 100% scores in false positive avoidance, while Traceable scored 99.86%.
David Ellis, vice president of research and corporate relations at SecureIQLab, said in an interview with Informa TechTarget that vendors were invited to participate but did not pay SecureIQLab to perform the tests. Traceable was among the vendors that donated products to complete the tests; SecureIQLab purchased others. SecureIQLab attempted but did not complete testing on products from F5, Fastly, Google and Radware.
"We work with the Anti-Malware Testing Standards Organization (AMTSO) [to] publicly develop a [testing] methodology," Ellis said. "We have a documented process in keeping with the MTSO standard, because we want to make sure that we're transparent … [and] we're not going to treat one vendor better than another. We fund the testing so that we are not beholden to one vendor over another."
Further Harness integration ahead
Sudhir Patamsetti, senior director of product management at Traceable, said the vendor's API security testing features are integrated with Harness CI/CD tools. The goal is to extend the integration to automate the feedback loop between developers and production apps.
"For example, [if] there's a vulnerability identified during testing, but the developers don't have enough time to fix it, the feedback loop comes to the WAAP module, and we can create virtual patching rules on the fly to protect these application APIs against exploits during runtime," he said. "So there will be a flow of information between the earliest stages of the SDLC [software development lifecycle] and the runtime phase."
Traceable might not necessarily have the name recognition of larger cybersecurity platform vendors such as Akamai, Cloudflare, F5, Imperva and Palo Alto Networks, as large enterprises increasingly seek soup-to-nuts IT and cybersecurity vendors, said Christopher Rodriguez, an analyst at IDC. But for midmarket companies that focus on cloud-native web applications and DevSecOps workflows, Traceable's API security and support for shift-left testing will also stand out.
"API security is the hardest part [of WAAP]," Rodriguez said. "A lot of companies have talked about 'shift left,' but it happens a lot more with security testing companies rather than active runtime protection [vendors]."
Traceable's WAAP will lend itself more to collaboration among security, developer and ops teams centered around CI/CD pipelines, Rodriguez said.
"If developers can just get the policies, protections and configurations from the security organization, they can go faster to market like that, rather than having to say, 'Okay, we're just about ready to go put this in production, but we need to wait for the security team to configure the firewall and set it up,'" he said.
Beth Pariseau, a senior news writer for Informa TechTarget, is an award-winning veteran of IT journalism covering DevOps. Have a tip? Email her or reach out @PariseauTT.