August

NG Production Release Update ( August 01, 2025 )

This release includes feature enhancements, customer-driven improvements, and key bug fixes to improve platform usability, security, and transparency.

Enhanced Reachability Checks with Header Support for Private APIs

• Building upon the Smarter Reachability Checks, the platform now supports custom headers during reachability testing for Private API instances.
• Some instance URLs require specific headers to validate access. Users can now include these headers to ensure successful reachability checks. Once reachability is confirmed, scans can run as expected.
• If the same headers are also required for the API endpoints, they can be added through parameter configuration (if defined in the OAS) or via authentication credentials when the values are consistent across all endpoints.

GraphQL Fixes and Enhancements

• Improved validation: Invalid types are now blocked, and default values can’t be null.
• Stability improvements: Addressed issues with injections, SDL splitting, and value entry in certain edge cases.
• Improved consistency: Variable names and types remain unchanged when using example queries.

Improved Scheduled Scan Reliability

• We have addressed two separate issues affecting scheduled scans:

  • Users can no longer delete authentication credentials tied to scheduled scans, preventing unexpected scan failures.
  • If a scheduled scan is skipped due to a previously deleted authentication, the reason will now appear clearly in the activity logs.

Expanded Risk Acceptance Support for Tracked Issues

• Introduced the ability to create tickets for vulnerabilities marked as Risk Accepted, the platform now also allows users to mark a vulnerability as Risk Accepted even if a ticket already exists in the issue tracker.

Enhanced Access Control for Shared Applications

• Access controls have been strengthened for users with "View" permissions when applications are shared. This update ensures users can no longer access restricted resources beyond their intended scope. A few remaining edge cases involving integrations are being addressed in upcoming updates.

OAS Parsing Improvements

• This fix eliminates the need to convert curly double quotes within JSON string values, preventing data corruption during schema parsing.

Direct Access to Scan History and Details

• Scan History and Scan Details now have dedicated URLs that support direct access. Refreshing the browser on these pages no longer redirects users to the Application Details page.

HubSpot Integration for Support Tickets

• We have updated our support ticket system to integrate with HubSpot.
• While the "Contact Support" experience remains seamless within the platform, tickets are now routed through HubSpot to streamline tracking and response management.

Improved Tooltips for Scheduled Scans

• Tooltips in the Scheduled Scan section have been updated to clarify how profiles are used when creating or updating scans.

---

NG Production Release Update ( August 08, 2025 )

This release includes feature enhancements, customer-driven improvements, and key bug fixes to improve platform security, usability, and transparency.

Stronger Email Deliverability

We have implemented several measures to improve email reliability, particularly for corporate recipients where strict filters often block legitimate communication.

• Safer links: Replaced raw.githubusercontent.com links with apisec.ai domain links to avoid being flagged by spam filters.
• Aligned sender domains: Updated sending addresses to trusted domains such as noreply@apisec.ai or support@apisec.ai. In some cases, a subdomain like mailer.apisec.ai is used and aligned with Amazon SES identity to improve trust scores.
• Better formatting: All emails now include a plain-text version alongside HTML for greater compatibility.
• Improved images: Switched from SVG to PNG for broader email client support.

Email Auto-Suggestions for Team Management

• When creating or updating teams, administrators will now see auto-suggestions for email addresses as they type when adding owners or members.
• This reduces typing effort, minimizes errors, and speeds up team setup.

Full Compatibility with OpenAPI 3.1.x

• We have expanded our platform’s support for OpenAPI Specification (OAS) 3.1.x, ensuring all native features, such as const, oneOf, anyOf, nullable, example, and enhanced JSON Schema compatibility.

GraphQL Fixes and Enhancements - We have addressed a few nagging issues in GraphQL, including:

• Fixed JSON values not saving or displaying correctly.
• Prevented the loss of original input parameters in the table when updating a query document.

RBAC Role Exclusion Bug Fix

• Excluding a role from RBAC not only removed it from scans but also deleted it from its associated authentication. This behavior has been corrected so that exclusion only affects RBAC dry runs and scans, leaving the authentication intact.

Easier Team and Business Unit Browsing

• Administrators can now view Teams and Business Units in alphabetical order on the Browse Teams page, making navigation quicker and more intuitive.

NG Production Release Update ( August 14, 2025 )

This release delivers feature enhancements, customer-driven improvements, and key bug fixes to boost platform flexibility, reliability, and user experience.

Token Placement in the Body Parameters

We have enhanced Custom Authentication to support placing authentication tokens inside request body parameters, in addition to headers and cookies.

• A new "BODY" placement type allows inserting static or dynamic tokens into body parameters.
• This enhancement is compatible with complex, multi-step authentication flows, including chained requests, cookie handling, and extracting values from headers or response bodies.
• The test service identifies these parameters and excludes them from injection or manipulation testing.

Reload Specification with API Gateway

Users can now fetch and update API specifications directly from AWS API Gateway.

• Applications are automatically linked with the gateway connection and the OpenAPI Specification (OAS) when an API is registered directly from the API Gateway.
• In the upcoming sprint, applications linked to a gateway connection can be scheduled for automatic OAS reloads.
• Additionally, APIs onboarded via an API Gateway can now be reloaded using a file or URL when the gateway connection is offline.

Update and Delete Users

The APIsec platform now supports updating and deleting user accounts, in addition to user creation by Tenant Administrators.

Enhancements to OAS Specification Error Logging

The OAS spec resolver service now logs exceptions in the activity log when issues occur during API onboarding, enabling users to review detailed error information.

GraphQL Improvements

The following issues and improvements have been delivered.

• Ensures GraphQL selection sets always include at least one field.
• Supports JSON type for GraphQL input parameters.
• Preserves JSON parameter values during ADD operations by preventing variable map mutations.
• Mark operations as authenticated unless otherwise specified.

SwaggerHub API Gateway Integration

Improved error messaging for more effective troubleshooting of integration issues.

API Token Permission Handling

Corrected the handling of API token permissions to ensure proper access control

Instance URL Reachability Testing

Resolved an issue with the display of required headers.

NG Production Release Update ( August 22, 2025 )

This release introduces advanced automation, enhanced usability, and targeted security improvements, empowering teams to maintain up-to-date specifications, streamline user and vulnerability management, and gain clearer insights into API security posture.

Auto-Reload Specification via API Gateway:

Building on the Reload Specification via API Gateway capability introduced on August 14, 2025, the new Auto-Reload Spec feature enables scheduled synchronization of API specifications, ensuring accuracy with minimal manual effort.

• Supported Gateway: AWS API Gateway (initial release).
• Scheduling: Reload jobs can be scheduled weekly. More frequent synchronization options will be introduced in future updates.
• Configuration Options: During reload, users can configure whether to retain or remove:
  • Endpoints missing from the specification
  • Existing parameter values
  • Schema configurations
• Reliability: Helps keep API specifications current while avoiding accidental data loss.
• Access Control: Only Administrators and Application Owners with API Gateway access can schedule this task.
• Unlinking Behavior: If an API is unlinked from its application, the scheduled synchronization is automatically disabled.
• Logging: Scheduled activity status is available in the activity logs.

Security Hub .

The Security Hub has been enhanced with a modernized user interface to improve clarity in presenting API security metrics and trends.

• UI Improvements: Cleaner presentation of security metrics and insights.
• Removed Dropdown: The applications dropdown, previously limited to 10 selections, has been removed as it did not reflect real-world usage.
• Upcoming Enhancements: Future releases will introduce filtering by Business Units and Teams for more meaningful analysis.
• Data Refresh: Metrics continue to update every 10 minutes using efficient caching.
• Role-Based Access:
  • Administrators view metrics across all onboarded applications.
  • Users view metrics only for applications they are authorized to access.

Bulk User Creation via CSV Upload

Administrators can now add multiple users simultaneously by uploading a CSV file, reducing the need for repetitive manual entry for Non-SSO Organizations.

• Sample Template: A downloadable CSV template with required headers (Display Name, Email, Role) is available on the Add Users page.
• Preview & Validation: Uploaded files are parsed into a table for review. Mandatory fields are validated, missing values are flagged, and issues such as invalid or duplicate emails are highlighted.
• Inline Editing: Errors can be corrected directly in the table without requiring a new upload.
• Smart Controls: The "Add Users" button remains disabled until all validation issues are resolved.
• Submission & Tracking: After submission, a confirmation toast appears, and progress is visible in the Activity Logs.

Controlled Auto-Sync for Vulnerabilities for Azure DevOps and Jira:

• Previously, all vulnerabilities discovered during scans were automatically synchronized with Jira or Azure DevOps, regardless of severity. This often resulted in excessively low-priority tickets for developers.
• With this update, synchronization can now be controlled by severity level. Users may specify which vulnerabilities are pushed into their issue tracker, allowing development teams to focus on resolving the most impactful issues first.

GraphQL Improvements

Enhancements to GraphQL scanning and validation include:

• Comprehensive capture of all arguments (required and optional) in variables/config, with proper tracking of optional fields such as enums.
• Resolution of incorrect readiness checks in GraphQL operations.
• Support for custom scalar types in UPDATE requests.

Applications List View

A new tabular Applications List View has been introduced, enabling users to view:

• Applications with their corresponding instances
• Endpoints
• Last scan date for each instance
• Vulnerabilities
• Endpoints at risk

Other Updates

• Users are now redirected to the login page when their refresh token expires.
• Several additional issue fixes and security enhancements have been applied to improve overall system reliability.