Skip to main content

July

· 7 min read

NG Production Release Update ( July 01, 2025 )

Here's a quick look at what's landed recently:

New Token-Based Test Categories

  • We have expanded our test coverage to identify vulnerabilities related to authentication tokens. These new categories help uncover issues in token usage and handling that may otherwise go unnoticed.

Wildcard Support for Dynamic Certificate Resolution

  • Managing certificates across multiple hosts is now way easier. You can now use * as a wildcard when mapping certificates to hosts. This means that one certificate can cover multiple domains, unless a specific one is explicitly defined.

Custom Authentication V2

  • We can now configure the authentication flows through the UI.
  • We have tested it against real customer scenarios, including complex multi-step workflows, and made necessary enhancements to support them.

Scan Execution Improvements

  • Resolved issues with scheduled scans not triggering reliably.
  • Enhanced handling of authentication-related errors in long-running scans is clearly displayed.
  • Fixed an edge case where scanned endpoints were missing from the scan results, despite being executed.

Enhanced Test Visibility

  • Logs are now split between Dry Run and Test Execution, making debugging easier.
  • Logs now display the credentials and roles used in each test.
  • Scan History includes stats for Tests Generated, Executed, and Skipped.
  • Reasons for passed and skipped tests are now logged to support auditability.

API Token Scope Correction

  • We have addressed issues related to API token scoping to ensure secure and consistent access control enforcement across the platform.

Spec Reload Enhancements

  • The Reload Spec process is now asynchronous, reducing timeout errors during high-volume spec updates.
  • Improved stability and error-handling make OAS reloads smoother.
  • We now prevent overwriting instance-level parameters during spec reloads.
  • Next up: safeguarding endpoint-level parameters and payloads.

Smarter Token Refresh

  • For short-lived tokens, we have added the ability to define token renewal frequency per credential in OAuth, Bearer Token, and Custom Authentications.

Enhanced Instance Management

  • We can now assign a custom name to each instance for better identification.
  • Instances can be deleted independently without affecting the associated application or other instances.

We have rolled out several security enhancements, squashed bugs, and polished the UI in both Cloud and On-Premises versions.

NG Production Release Update ( July 03, 2025 )

Introducing Custom Labels in Issue Tracker Integrations (JIRA & Azure DevOps)

  • Some of our customers route issues to different teams based on label values in their project boards. While APIsec NG already included standard labels like APIsec, CVSS scores, and security categories, it didn't allow users to define their own—until now.

    What's new:

    • An optional Labels field is now available when configuring issue tracker integrations.
    • Supports single-word entries (e.g., AppSec).
    • Allows multiple labels separated by commas (e.g., AppSec,HighPriority,Internal).
    • This update enables smoother team routing and better integration with our customers existing workflows.

Choose a Private Hosted Agent for Scans

  • Until now, the platform has automatically selected the hosted agent (APIsec or Private) based on instance reachability. This usually works, but not always.

  • In cases where APIs are technically reachable yet block external requests (think trusted IP policies), this led to unnecessary roadblocks.

    What's improved:

    • You can now manually select the Hosted Agent when running ad-hoc or scheduling scans. This gives teams more control, especially in secure environments where trusted IPs are required for access.

Boomi API Gateway Integration v1

  • We are excited to roll out V1 support for Boomi API Gateway!

  • You can now integrate APIsec NG with Boomi API Gateway using a Platform API Token, making it easier to fetch and register OpenAPI specs for your applications.

    What you need to know:

    • This version supports authentication via platform tokens and requires application credentials to retrieve the OAS file.
    • Broader credential support and deeper integration options are planned for upcoming releases.

Streamlined "Contact Support" Experience

  • Users can now submit tickets or share feedback directly from the platform, without being redirected to the PLG (cloud.apisecapps.com) tenant.
  • The "Contact Support" button automatically sends an email and opens a ticket with our Support Team.

NG Production Release Update ( July 14, 2025 )

We have rolled out several updates to make vulnerability management more intuitive across the board. Here's a quick tour of what's new:

Auto-Close Resolved Tickets

  • Linked issue tracker tickets in Jira or Azure DevOps will now automatically close when their corresponding vulnerabilities are resolved in APIsec. There's no need for any manual action.

Bulk Ticket Creation from Threat Detections

  • Enabled support for creating multiple tickets directly from the Threat Detections tab, allowing ticket creation per vulnerability group based on Category and Test Type.

Quick Actions for Vulnerabilities in Scan Details

  • Introduced an Actions menu for each vulnerability listed in the Scan Details page, enabling users to:
    • Mark it as a False Positive
    • Accept the Risk (temporarily)
    • Create a Ticket in the issue tracker
    • Export Logs to review vulnerabilities
    • Export cURL to reproduce the issue locally

Smarter Reachability Checks

  • If a private-hosted agent can't reach the hostname of the instance URL, the platform now tests the full endpoint path. This provides a more accurate assessment of reachability

Availability of Hosted Agent Information on the Scan Details Page

  • Running scans with a private-hosted agent now displays the hosted agent name used, helping track the agents and simplify debugging.

NG Production Release Update ( July 21, 2025 )

We are pleased to announce the following updates and improvements, designed to enhance platform functionality, integration capabilities, and user control. Here's a quick tour of what's new:

Reload Specification with Retain Options

  • Users can now reload an API specification while preserving missing endpoints, existing parameter values, and schema configurations that are not included in the specification. This enhancement ensures that customized test inputs are preserved during specification updates, thereby improving consistency and minimizing the need for rework.

Support for Azure DevOps Integration via Service Principal

  • In addition to existing support for Personal Access Tokens (PAT), the platform now supports Azure DevOps integration using Service Principal authentication. This provides a more secure and scalable option, particularly for organizations with strict credential management policies.

Profile Management for Scans

  • We have introduced the ability to create and manage scan profiles. These profiles can be selected when initiating ad-hoc or scheduled scans, allowing users to configure scan behavior more effectively across different testing scenarios.

Auto-Ticketing Enhancements

  • Enhancements have been made to the auto-closure of tickets in integrated issue trackers when vulnerabilities are marked as resolved.

Improvements in Security Tests & GraphQL

  • Added SDL Validation and more injection strategies for GraphQL

NG Production Release Update ( July 25, 2025 )

Here's what's new and improved in our platform this week:

Automatic Ticket Creation for Active Vulnerabilities

  • Building upon our July 21 release, whenever we integrate an issue tracker into an application's instance, any vulnerabilities detected in subsequent scans will now automatically create tickets, ensuring that no issue is overlooked once a risk emerges.

Bulk False Positive Marking with Smart Sync Handling

  • Building on the bulk ticket creation update from July 15, you can now select multiple vulnerabilities and mark them as false positives at once. If those vulnerabilities were already linked to an issue tracker, the related tickets will be automatically closed.

Handling of Large Dry Run Responses

  • Previously, huge endpoint responses from Dry Run results were flagged as inconclusive. We have now optimized how these are processed by compressing the response data, ensuring that permissions are evaluated accurately, regardless of the payload size.

Spec Reload Functionality Updates

  • This update corrects issues with schema consistency that sometimes occurred during manual additions.

Ticketing Now Available for Risk Accepted Vulnerabilities

  • When a vulnerability is designated as "Risk Accepted" due to the implementation of mitigating controls, we now provide the capability to generate tickets for these "Risk Accepted" findings. This facilitates developers in planning a permanent resolution when appropriate.