Skip to main content

December

· 11 min read

NG Production Release Update - APIsec_cloud_6.12.2.0 ( December 30, 2025 )

This release delivers a set of enhancements and fixes focused on secure onboarding, access governance, and testing accuracy. Authentication handling has been improved with automatic extraction of authentication credentials from Postman Collections, greater control over authentication selection during Dry Runs, and clearer validation outcomes to prevent misleading test results.

Access management has been strengthened through multi-user application access controls, enabling administrators to manage permissions at scale with better visibility and flexibility. RBAC-related improvements enhance both the accuracy of access validation and the clarity of security findings.

Operational reliability has also been improved through fixes to endpoint detection, expanded activity logging for automated onboarding, improved execution logs, and tighter security controls across UI and authentication workflows. Together, these updates reduce manual overhead, enhance trust in scan results, and reinforce the platform's overall security posture.

1. Automatic Authentication Extraction from Postman Collections

Onboarding APIs from Postman Collections is now faster and more streamlined. The platform automatically extracts authentication details from a Postman Collection and configures them during application onboarding, significantly reducing manual configuration and setup time.

  • What's supported:

    • Basic Authentication and OAuth (Client Credentials grant type only) are automatically detected and configured after the instance is created.
    • Multiple authentication configurations defined in a Postman Collection are extracted and configured for the same application.
    • If Basic Authentication credentials are defined directly in request headers, they are recognized and configured as Basic Authentication in APIsec.
    • If a Bearer token or any other authentication header is present in the request headers, it is captured and configured using the "API Key" authentication type.

  • Custom authentication handling: More complex authentication flows—such as multi-step token generation or substituting response values into headers other than Authorization —require Custom Authentication.

    • For these cases, a custom authentication chain is automatically created within the same application, rather than at the tenant level, keeping the configuration scoped and easier to manage.

  • Improved Postman Collection retention:

    • APIsec now retains a copy of the Postman Collection in its workspace regardless of how it is onboarded —via URL or integration.
    • Previously, collections were stored only when onboarded through a file. With this enhancement, all Postman-based onboardings preserve the collection for future reference.

This update simplifies Postman-based onboarding while improving traceability, reusability, and long-term management of authentication configurations.

2. Multi-User Access and Permission Management

APIsec now makes it easier for administrators, application owners, and collaborators with edit access to review and manage which users or teams can view or edit applications. Permissions can be updated, and access can be revoked as needed.

  • What's new:

    • Bulk User Assignment: Add multiple users to an application in a single action.
    • Clear Access Visibility: View a complete list of users and teams that have access to an application, along with their assigned permission levels.
    • Flexible Permission Control: Update permissions dynamically—switch a user's permissions between View and Edit access as needed.
    • Easy Access Removal: Remove users and teams access from an application when needed.

3. Authentication Selection for Dry Runs

Dry-run testing at the endpoint level is now more precise and transparent. Users can explicitly select the authentication credential to use when executing a dry run, giving them complete control over how endpoints are validated. Previously, dry runs automatically used any available credentials, which often resulted in non-working or unauthorized credentials being applied. This led to misleading results and made it difficult to determine whether failures were caused by authentication issues or by the endpoint payload.

  • What’s improved:

    • Explicit Authentication Control: Select a specific, authorized credential to execute a Dry Run against a chosen endpoint.
    • Accurate Results: Dry Runs now reflect the API's actual behavior with the intended authentication, avoiding false negatives caused by invalid credentials.
    • Clear Visibility: Instead of marking endpoints as “ready for deep coverage” without context, the platform now shows detailed results from the Dry Run.
    • Enhanced Debugging: Users can review the authentication request details, including the request URL, headers, body, response code, and response body, to quickly identify successful responses, bad requests, or unauthorized access.

These improvements make Dry Runs more reliable, easier to debug, and far more effective for validating authentication before running full scans.

Bug Fixes

1. Improved RBAC Assertion Visibility

RBAC assertions now clearly explain how each role is expected to behave for a given endpoint and how the API actually responds, making authorization outcomes easy to interpret.

For each role tested, the assertion explicitly describes:

  • Expected Access — whether the RBAC configuration allows or denies access to the endpoint.
  • Observed Behavior — the actual response returned by the API.
  • Security Outcome — whether the behavior is compliant or indicates a potential privilege escalation.

What's fixed:

  • Complete Role Coverage: All roles evaluated during RBAC testing are now included in the scan result assertions and associated vulnerabilities.
  • Accurate Test Log Representation: Each test log represents a unique role-based access check for an endpoint. When multiple roles fail, all corresponding test logs are now correctly marked as failed, instead of flagging only the first failure.

Impact:

This approach provides a per-role, per-endpoint explanation of authorization results, allowing users to clearly distinguish between allowed access, correctly blocked access, and unexpected access that represents a security risk.

2. Browser Bolt OAS Endpoint Detection

What’s Fixed:

Resolved an issue where OpenAPI specifications generated via Browser Bolt were onboarded successfully but displayed “No Endpoints Detected.” Endpoints defined in Browser Bolt–generated OAS files are now correctly parsed and surfaced after onboarding.

Impact:

Applications onboarded through Browser Bolt are now fully testable immediately, eliminating the need for manual verification or re-importing specifications.

3. RBAC Map Loading in Chrome

What’s Fixed:

Resolved a Chrome-specific issue where RBAC maps failed to load when configurations contained more than 20 roles.

Impact:

RBAC maps now load reliably in Chrome regardless of role count, allowing users to review and validate complex RBAC configurations without browser limitations.

4. Comprehensive Activity Logs for Auto-Onboard

What’s Fixed:

Corrected inconsistencies where Auto-Onboard events were not consistently captured in Activity Logs across multiple gateway integrations.

Impact:

Activity Logs now reliably record Auto-Onboard actions for all supported gateways, providing complete visibility into automated API discovery and registration.

5. Execution Log Completeness

What’s Fixed:

Resolved an issue where execution logs were missing descriptive details during scan analysis.

Impact:

Execution logs now provide clearer context, making it easier to understand scan behavior, analyze results, and troubleshoot issues.

6. SSO Sign-Out Configuration (Cognito)

What’s Fixed:

Fixed an issue where Allowed Sign-Out URLs were not automatically configured when creating a new App Client in Amazon Cognito.

Impact:

SSO sign-out now works as expected by default, preventing logout issues and ensuring a smoother authentication experience.

7. MuleSoft Connected App Support for Business Units

What’s Fixed:

Resolved an issue where APIsec could only discover and onboard APIs from the root MuleSoft organization when using a Connected App with client credentials. Previously, if a Connected App was authorized at a Business Unit level, API discovery failed, potentially causing internal server errors.

APIsec now correctly honors the scope of the access token issued by MuleSoft, aligning with MuleSoft’s access model.

Impact:

  • APIs managed under child Business Units can now be successfully discovered and onboarded.
  • Root-level authorization is no longer mandatory when valid Business Unit–scoped credentials are used.
  • The Business Unit hierarchy—from the root organization down to the authorized Business Unit—is now correctly recognized and displayed.

This fix removes a critical onboarding blocker for enterprises using hierarchical MuleSoft organizations and enables broader adoption for customers with complex Business Unit structures.

Security Fixes

1. Clickjacking Vulnerability Resolved

What’s Fixed:

Addressed a Clickjacking vulnerability that could allow unauthorized UI interactions through embedded or framed content.

Impact:

This fix strengthens UI security and prevents unintended manipulation of the application, aligning with standard web security best practices.

"Note: The Browser Bolt has now been published to the Chrome Store. A few minor refinements are still required in the AI agentic flow, which are currently in progress and scheduled to be incorporated and released next week."

NG Production Release Update - APIsec_cloud_6.12.1.0 ( December 12, 2025 )

This release includes updates across usability, automation, and platform reliability. It adds support for downloading OpenAPI specifications from applications, bulk management of instance-level parameters via CSV, and incremental UI workflow improvements.

The release also includes bug fixes, updates to spec parsing, clearer GraphQL error messages, expanded activity logging for automated API onboarding, and several operational changes related to reporting, cleanup, and system consistency.

Download OpenAPI Specifications (OAS) from Applications You can now download the OpenAPI Specification (OAS) for any application directly from the platform, a feature customers frequently request for quick access to the exact spec used during onboarding.

Here's how it works:

  • Applications initially registered with an OAS will provide the specification for download.
  • Applications onboarded via a Postman Collection are automatically converted to OAS, and the converted version is available for download.
  • If an application's OAS has been reloaded multiple times, the latest version currently reflected in the application is what you will receive.

Coming soon: the ability to download an OAS including manually added endpoints.

Bulk Upload & Download of Instance-Level Parameter Values (CSV Support)

We have added new capabilities that make managing instance-level parameter values faster and far more convenient. With this enhancement, you can:

  • Bulk upload instance-level parameters using a CSV file.
  • Download existing instance-level parameter values, making it easy to preserve them before reloading a spec—particularly useful when choosing not to retain parameters during a spec reload. Additional improvements include:
  • If an endpoint's request body contains null values, the platform will automatically substitute values from the instance-level parameters (if available).
  • When instance-level parameter values are intentionally set to null, they are now correctly interpreted as null — not as the string "null".

These enhancements streamline large-scale parameter management and reduce manual cleanup after spec updates.

UI Improvements

Application Launch Routing: When an application is opened using an application/{applicationId} URL, users are now automatically redirected to the corresponding instance page. The system appends instances/{instanceId} to the URL to ensure a valid landing page.

If multiple instances exist in an application, the first available instance is selected by default. This prevents errors caused by missing or null instance IDs and provides a smoother navigation experience.

Improved Application List Navigation & Usability

Applications now load automatically in the list view, providing a clearer, more complete view of each application and its associated instances. We have also improved usability in the Applications list by enabling the right-click context menu, allowing users to copy URLs or open applications in a new tab.

Consistent Top Navigation Bar

The top navigation bar has been standardized across all main menu items, ensuring a consistent look and behavior throughout the application for a smoother user experience.

Bug Fixes & Improvements

1. OAuth2 Credential Stability - Fixed an issue where OAuth2 password values were unintentionally overwritten when updating advanced authentication properties.

2. BOLA Scenario Execution Reliability - Resolved a regression that prevented resource identifiers from being correctly substituted during BOLA dry runs, which caused scenarios to fail during testing and activation. The fix has been validated across affected use cases to ensure consistent behavior.

3. Swagger 2.0 Spec Parsing Improvements - Addressed an issue where body parameters were duplicated when multiple content types were defined in a Swagger 2.0 specification. The parser now correctly handles numerous content types without creating redundant parameters or sending duplicate request payloads.

4. Expanded Activity Logs for Auto-Onboard - Activity Logs now fully capture Auto-Onboard events for Azure API Management, Postman, and SwaggerHub integrations. This provides clearer visibility into when APIs are automatically discovered and onboarded.

5. Improved GraphQL SDL Upload Error Feedback - When GraphQL application creation fails during SDL file upload, the UI now surfaces clear error messages explaining the failure and highlighting any discrepancies detected in the SDL file, instead of returning a generic error state.