October

NG Production Release Update - APIsec_cloud_6.10.1.0 ( October 03, 2025 )

We are excited to share the latest updates designed to make the APIsec customers' experience smoother, safer, and more powerful. Here’s what’s new:

AWS API Gateway Integration via IAM Role

APIsec now supports connecting to AWS API Gateway using IAM Roles in addition to IAM User credentials. Previously, integration required providing long-lived IAM User credentials, which raised concerns for some customers about credential management and security best practices. To address this, APIsec now enables a role-based integration that aligns with AWS security guidelines. With this enhancement, customers can securely provide a Role ARN (roleArn) instead of IAM User credentials. APIsec assumes the specified IAM Role to access the AWS API Gateway and perform read operations securely using temporary credentials.

• Key Benefits:

  • Eliminates the need for long-lived IAM User credentials
  • Follows AWS-recommended security practices using temporary credentials
  • Simplifies permission management with Role-based access control

Revoke Risk Acceptance on Vulnerabilities

Changed your mind about a vulnerability you previously accepted? No problem.

• Owners, admins, and collaborators with edit access can reactivate vulnerabilities that were previously marked as 'Risk Accepted'.
• If you’re using an issue tracker, the linked ticket will automatically update with comments — including who marked and revoked the decision.

Reload GraphQL Specs with SDL

GraphQL users, this one’s for you! You can now reload API specifications using GraphQL SDL.

• Upload your updated SDL file to refresh an existing spec.
• Choose whether to keep or remove:
  • Endpoints missing from the spec
  • Existing parameter values
  • Schema configurations

Auto-Reload Specification via API Gateways

The Auto-Reload Spec capability, first introduced for AWS API Gateway on August 22, 2025, followed by supporting Azure API Management (APIM) and MuleSoft API Gateway on September 04, 2025 is now extended to support SwaggerHub API Gateway.

• Supported Gateways: AWS API Gateway, Azure API Management (APIM), MuleSoft API Gateway and SwaggerHub.
• Scheduling: Reload jobs can be scheduled weekly, with support for more frequent synchronization planned for future releases.
• Configuration Options: Users can configure whether to retain or remove:
  • Endpoints missing from the specification
  • Existing parameter values
  • Schema configurations
• Reliability: Maintains accurate and up-to-date API specifications while minimizing the risk of data loss.
• Access Control: Only Administrators and Application Owners with gateway access can schedule this task.
• Unlinking Behavior: If an API is unlinked from its application, the scheduled synchronization is automatically disabled.
• Activity Logging: All scheduled activity statuses are recorded in the activity logs.

RBAC Retest for Individual Endpoints

No more re-running entire RBAC flows just to test new endpoints.

• You can now re-run access checks on a single endpoint.
• Previously discovered permissions stay intact — so you only validate what’s new.

Admin Controls for Teams and Business Units

Administrators now have more flexibility:

• Manage team members directly (not just team owners).
• Delete Business Units when needed.

Fixes & Improvements

• Postman Collection Onboarding: Fixed a confusing error message that showed onboarding as failed even though the application was successfully created.
• Empty Parameter Deletion: You can now delete empty parameters without errors.
• BOLA Dry Run: Supporting Multiple Resource Ids in the Select Resource attack scenarios in BOLA.
• UI – Application List View: Resolved an issue with pagination where data was displayed in the wrong columns.

---

NG Production Release Update - APIsec_cloud_6.10.2.0 ( October 21, 2025 )

We have rolled out a series of enhancements that strengthen automation, performance monitoring, and security controls across the platform.

Auto-Reload Spec & Automatic API Onboarding — Expanded Gateway Coverage

We are excited to share that Auto-Reload Spec and Automatic API Onboarding now fully support SwaggerHub API Gateway and Postman API Platform, completing coverage across all major API gateways — Microsoft Azure APIM, MuleSoft, and AWS API Gateway.

• Auto-Reload Spec

  • Keeps API specs in sync through scheduled reloads (currently weekly).
  • Retains endpoint, parameter, and schema configurations as configured.
  • Automatically disables sync tasks if an API is unlinked.

• Automatic API Onboarding

  • Detects and registers new or unregistered APIs automatically.
  • Supports weekly onboarding in batches of 50.
  • All onboarding activities are logged for visibility.

These enhancements simplify API management, reduce manual effort, and keep your inventory current.

Test Authentication — Improved Visibility & Debugging

We have enhanced the Test Authentication workflow to make it more transparent, informative, and easier to troubleshoot

• Feature Highlights:

  • Clear visual indicator when authentication begins.
  • Displays actual request and response from the authentication step.
  • Provides detailed failure responses for easier debugging.
  • Sensitive information, such as passwords and secrets, remains masked.

These improvements remove the guesswork from authentication testing, making it faster and easier to identify and resolve issues.

Private URL Registration via Hosted Agent

• APIs can now be registered using Private OAS URLs through a hosted agent.
• The system will automatically detect and retrieve the OAS content if the agent is available and active, reducing manual steps.

RBAC Enhancements

We have refined RBAC behavior to improve stability, visibility, and control.

• Automatic deletion of scan configs when an RBAC identity is removed.
• Added missing logs after retest permissions.
• Improved RBAC dry run scan tracking and orphan identity handling.
• Enhanced coalescing of RBAC scan configs.
• Fixed allowing retest permissions after uploading an RBAC Map.
• Introduced RBAC Map Upload and Download for easier management.

OAS Enhancements & GraphQL Data Type Support

• Improves handling of GraphQL Array and BigDecimal datatypes in API definitions.
• Remove excessive data from API specifications to ensure successful application registration.

Scheduling Fix

• Corrected the Next Execution Date display for API Gateway Auto-Onboard and Auto-Reload jobs, ensuring accurate scheduling visibility.

NG Production Release Update - APIsec_cloud_6.10.3.0 ( October 31, 2025 )

We have rolled out a series of enhancements that strengthen automation, performance monitoring, and security controls across the platform.

Policy Model

We are excited to introduce the Policy Model, a new framework that helps administrators set, enforce, and monitor security standards across all applications in their organization.

This model provides structure and visibility to key security expectations, including how frequently applications should be scanned, which test categories must be covered, and how teams should respond when vulnerabilities are discovered. By defining these controls upfront, organizations can ensure consistent security practices, identify gaps early, and keep remediation efforts aligned with SLAs and compliance goals.

Here is a breakdown of the core components included in this release:

• Scan Schedule: Specify how frequently applications need to be scanned — every few hours, daily, weekly, or monthly — to ensure continuous security coverage and timely detection of new risks.
• Test Scope: Execute the required test categories for each application. Applications must run these selected category types to remain compliant with their assigned policy.
• Response Actions: Define how newly discovered vulnerabilities should be handled. For example, automatically creating a ticket when a vulnerability meets a defined severity level ensures issues are appropriately tracked and routed to engineering teams for resolution.
• Risk Mitigation: Ensure vulnerabilities are remediated within the SLA defined in the policy. To stay compliant, active vulnerabilities must be resolved within the established timelines, thereby reinforcing accountability and reducing long-term exposure.

The Policy Model provides a consistent and repeatable way to manage security expectations at scale, helping teams stay aligned, proactive, and entirely in control of their application security posture.

Simplifying AWS API Gateway Integration with Cross-Account Role Assumption

Managing APIs across multiple AWS accounts just got a whole lot easier. Previously, organizations needed to create and maintain separate integration connections for each AWS account when onboarding APIs to the APIsec platform. This approach proves effective for smaller organizations. However, enterprises may have multiple accounts, which can result in higher operational overhead and more complex management for multi-account environments.

With this release, we are introducing support for AWS Cross-Account IAM Role Assumption (also referred to as Central ARN). This enhancement streamlines the onboarding and management process for organizations that use multiple AWS accounts. Here is how it works:

• A single Central Role ARN is configured in the APIsec platform.
• That role can securely assume Child Roles across multiple AWS accounts.
• This allows customers to create a single integration connection that grants access to APIs across all linked AWS accounts, eliminating the need for separate connections or repetitive setup.
• IAM role creation in child accounts is centrally managed, allowing the entire process to scale seamlessly as your AWS environment grows.

The central ARN provides a more straightforward integration, reduced manual configuration, and lower operational overhead for large multi-account AWS deployments.

Coming soon:

The ability to schedule weekly Auto-Onboarding with an exclusion option, allowing customers to automatically discover and register new APIs while skipping sample or test apps.

New Security Categories to Strengthen Authentication Exploitation Testing

We have expanded our security testing coverage with new categories that focus on authentication-related vulnerabilities. These additions enhance detection for potential weaknesses in API authentication flows and token management.

• OIDC Discovery: Checks if your API exposes an OpenID Connect (OIDC) discovery endpoint that could unintentionally disclose sensitive configuration details.
• JWKS Discovery: Validates whether your API exposes a JSON Web Key Set (JWKS) discovery endpoint, which could reveal cryptographic keys if misconfigured.
• Algorithm Confusion: Detects if your API is vulnerable to token forgery attacks through algorithm confusion, where mismatched signing and verification methods could be exploited.

These categories strengthen your API's defense against authentication exploits and ensure comprehensive coverage of identity and token security risks.

Authentication Enhancements Several improvements have been made across multiple authentication workflows to improve reliability and accuracy:

• Bearer Token Authentication: Now supports additional body parameters during tests and scans. Previously, URLs containing colons (:) were misinterpreted as delimiters, impacting token resolution. This has been fixed.

• Custom Authentication:

  • Improved null pointer exception handling.
  • Added support for specifying the Content-Type in custom authentication chain extraction rules to override incorrect content types returned by the authentication endpoint, preventing authentication failure errors.
  • Fixed missing response body details in authentication test results.

Spec Parsing Improvements

The Application Registration and Reload Spec processes now handle incomplete or malformed schemas more gracefully. The resolver sanitizes and corrects schema definitions before registration, preventing errors caused by undefined or null response types. This enhancement ensures smoother onboarding and reduces failures during spec reloads or updates.

RBAC Access Check improvements:

The RBAC dry run process now supports refresh tokens. If a token expires during a dry run, the system automatically generates a new one using the TTL value in the authentication configuration.

Security Upgrade

A new hosted image has been published to enhance security updates and ensure continued compliance with best practices.