Skip to main content

November

· 10 min read

NG Production Release Update - APIsec_cloud_6.11.2.0 ( November 28, 2025 )

Security Categories Improvements

  • Asymmetrical Assertions for Injections and SSRF

    • We have introduced several improvements to make injection and SSRF testing more efficient and accurate.
    • Earlier Detection: Injection tests are now executed even before authentication is configured, allowing vulnerabilities to surface much earlier in the API onboarding process. These checks are now included in the unauthenticated scan.
    • Iteration Optimization: The number of iterations is now capped at 100 when dealing with endpoints that have a large number of parameters, improving performance without reducing coverage.
    • Reduced False Positives: If a time-based injection is detected during an iteration, the system now performs an additional validation pass to confirm the finding and avoid false positives.

    These enhancements provide faster, more reliable detection for injection and SSRF vulnerabilities across your APIs.

  • Error-Based Injection Detection

    • We have strengthened our injection testing capabilities by adding support for Error-Based Injection Detection. During review, we found a gap where error-based database injections were not being flagged, especially when backend systems leak database errors. This could lead to missed vulnerabilities and false negatives.
    • To address this, we have designed and documented an error-based detection blueprint that targets these scenarios. With this enhancement, whenever a test triggers a server error that does not occur during a dry run, the platform now raises an informational detection indicating that the API may be vulnerable to injection attacks.

  • Enhancements to Broken Authentication and Token-Based Categories:

    • We have improved the heuristics used to identify unauthorized responses, which should provide more accurate results, especially for GraphQL scenarios. Additionally, the none and nonE token tests now include checks using unsigned tokens, expanding coverage for token validation weaknesses.

Enhanced Search for MuleSoft API Gateway

Finding the right APIs in MuleSoft just got easier. We have expanded our MuleSoft API Gateway integration to support backend-powered search, improving both speed and accuracy when locating APIs. Since MuleSoft does not offer a native REST API for search, we implemented a new workflow behind the scenes:

  • The platform now retrieves the available APIs from MuleSoft, temporarily stores the data in memory, and applies the search filters on the backend to return precise, relevant results.

This enhancement replaces the previous UI-only search and provides a more reliable, scalable way to explore your MuleSoft API inventory.

Policy Model Enhancements

We have refined how compliance status is displayed within the Policy Model's Applications tab. The platform now presents each component's status more clearly, along with the specific reasons behind compliance or non-compliance. This makes it easier to understand what needs attention and why.

UI Improvements

  • Scan Details Page: The Scan Details page has been redesigned for better readability and a more organized presentation of results.
  • Enhanced Toast Messages in Teams: We have improved the toast notifications that appear when performing actions in Teams, making them more informative and easier to understand.

Bug Fixes & Improvements:

  1. Improved Scan Stability with RBAC
    • Scans will no longer fail due to invalid or expired RBAC credentials. Previously, if any RBAC credential was invalid, the scan would stop immediately. We now validate only the primary credential used to run the scan, allowing RBAC tests to continue with whichever valid credentials are available.
  2. Azure DevOps Bulk Closure Fix for User Stories
    • User Story work items in Azure DevOps now close correctly when vulnerabilities are marked as false positives or auto-resolved through Threat Detections.
  3. Correct Access for Team Owners
    • Team Owners now consistently have edit access to all applications assigned to their team, ensuring proper permissions and control.
  4. Reliable Spec Reload for Large APIs
    • Large specifications—now reload correctly when using options like “Retain existing endpoint configurations” or “Retain existing parameter values.”
  5. Persistent Authentication Form Data
    • Re-selecting the same authentication method no longer clears previously entered data in the Authentication Credentials form.
  6. Accurate RBAC Status Indicators
    • The App Modal now shows RBAC status updates immediately, accurately reflecting when RBAC configuration is in progress.
  7. Clear Credential Name for BOLA Escalation Findings
    • When privilege escalation is detected during BOLA testing, the correct credential name is now displayed instead of showing a UUID, making results easier to understand.
  8. Correct Handling of Body Parameters
    • Body parameters that include query fields are now updated correctly without overwriting other existing parameters.
  9. Activity Logs for MuleSoft Auto-Onboard
    • Activity Logs now fully capture Auto-Onboard events from the MuleSoft API Gateway. This fix ensures complete visibility into when new APIs are detected and onboarded, giving teams clearer insight into automated actions happening behind the scenes.

NG Production Release Update - APIsec_cloud_6.11.1.0 ( November 17, 2025 )

We are excited to introduce the latest updates that enhance automation, strengthen security controls, and deliver a smoother experience for APIsec customers.

Extending AWS Integration: Auto-Reload Spec & Automatic API Onboarding Now Supported using Central ARN

Building on our support for AWS API Gateway integration using Cross-Account Role Assumption, we are further expanding its capabilities. You can now take advantage of Auto-Reload Spec and Automatic API Onboarding across all connected AWS accounts, making ongoing API management more streamlined and smoother.

Auto-Reload Spec

  • Automatically keeps your API specifications up to date with weekly scheduled reloads.
  • Preserves your configured endpoints, parameters, and schema settings to avoid overwriting customizations.
  • Automatically disables the reload schedule if an API is unlinked.

Automatic API Onboarding

  • Automatically detects and registers new or previously unregistered APIs.
  • Performs weekly onboarding in batches of up to 50 APIs.
  • Provides complete visibility into onboarding actions through activity logs.

Azure DevOps Integration: Now Supporting User Story Work Items

We have expanded our Azure DevOps (ADO) integration to allow creating User Stories directly from the platform. Many teams depend on User Stories as their main work item type for Agile processes, and this update ensures smooth alignment with those workflows.

Feature Highlights:

  • You can now configure the integration to create User Stories in addition to Issues.
  • User Stories generated through APIsec will appear directly on your ADO boards, allowing smoother collaboration with engineering teams.
  • All standard details are included automatically, ensuring tickets are ready for immediate triage.
  • Existing configurations for creating issues continue to work as expected, preserving backward compatibility.

Enhancing Custom Authentication

We have made significant upgrades to Custom Authentication, providing users with more flexibility, visibility, and control when working with complex authentication flows. These enhancements make it easier to debug, test, and transform data during token generation.

  • Auto-Generating Random UUIDs

    • Some authentication flows require a unique identifier (UUID) to be generated and submitted to obtain an authentication token (for example, a cookie or custom token).
    • The system now automatically generates a RANDOM_UUID that remains constant throughout the execution of the authentication chain, thereby ensuring consistency and facilitating the management of these complex multi-step authentication processes.

  • Introducing two new transformation keywords: find and replaceall to help extract, modify, and refine authentication data dynamically:

    • find – Uses regular expressions (Regex) to locate and capture specific values within a string. It also supports indexing to capture a particular occurrence of a match (e.g., the second or third instance).
    • replaceall – Replaces one string with another and supports Regex for advanced matching. You can also use an empty replacement string to remove unwanted characters entirely.

  • Additionally, multi-step transformations are now supported, so you can apply multiple transformation functions recursively to fine-tune how data is extracted and prepared for subsequent steps in the authentication chain.

  • Improved Test Authentication Visibility

    • The Custom Authentication Test experience has been enhanced to provide complete transparency into the authentication flow. Each step now includes detailed logs showing how tokens are generated, how data is transformed, and how it is passed through the authentication chain.
    • This improvement makes it easier to debug issues, understand complex authentication sequences, and ensure every part of the flow works as expected.

Security Enhancement: Strengthening Authentication Token Scope

  • As part of our continued commitment to platform security, we have implemented a key enhancement that tightens the scope and utilization of authentication tokens generated within the platform.
  • This update ensures that each token is strictly bound to its intended context and permissions, minimizing the risk of privilege escalation or account hijacking.
  • This improvement further strengthens the platform's overall security posture and aligns with best practices for token-based authentication systems.

Enhancing Teams: Expanded Control for Administrators and Team Owners

  • We have introduced a new improvement to team management that gives Administrators and Team Owners greater control over their teams. They can now remove applications from a team directly, making it easier to maintain clean, accurate, and aligned team assignments with organizational needs.
  • This enhancement streamlines team maintenance, ensuring that application access remains properly managed as teams evolve.

Improved Trial Experience for PLG Users: Streamlined Access and Upgrade Path

We have refined the 30-day trial experience to provide more precise boundaries and a smoother path to upgrading:

  • Controlled Feature Access: Trial users can now view applications and run authenticated or unauthenticated scans, except for RBAC and BOLA scans, which remain restricted.
  • Limited Configuration Access: After the trial period ends, configuration changes, such as adding new configurations or updating existing settings, are limited to ensure the platform remains within the intended evaluation period and to prevent continuous free testing beyond the trial.

Issue Fixes:

  • Protected Sensitive Fields in Custom Authentication: Updating custom authentication will no longer overwrite sensitive values. Existing credentials and secure fields are now preserved unless explicitly changed.
  • Improved Monthly Activity Report Accuracy: The Monthly Activity Report in the Security Hub has been updated to reflect more accurate timelines for the application creation.
  • Prevented Parameter Overwrites During Spec Reload: Reloading an API specification will no longer overwrite existing DTO parameters that already exist in other endpoints.