42Crunch Platform release, September 27, 2019

This 42Crunch Platform release introduces the support for the OpenAPI Specification (OAS) v3, and self-registration and OAuth sign-in to the platform.

Compatibility

This release is compatible with the following API Firewall images:

  • 42crunch/apifirewall:v0.9.1

All previous image versions have been deprecated and are not compatible with this version of the platform.

New features

The following are the new features and improvements to the existing ones in this release.

OpenAPI v3 support in API Security Audit

In addition to OAS v2, 42Crunch Platform infrastructure and Security Audit now support OAS v3:

  • Import API definitions following OAS v3 to API collections.
  • Audit and improve on the security of OAS v3 APIs.
  • Get the descriptions of issues and how to fix them for just the OAS version that your API follows.
  • API Security Encyclopedia now has dedicated sections for each OAS version.

Support for OpenAPI v3 in API Conformance Scan and API Protection is coming in later releases.

For more details, see API Security Audit.

Improved audit score

The audit score that Security Audit calculates for your API has been clarified:

  • Validation of the OpenAPI format in your API definition has been separated from the assessment of the security risks.
  • Structural issues in validation now stop the audit from proceeding to security risks, so it is easier for you to first get the API structurally sound without being swamped with everything at once.
  • Only the security risks affect the score now, so it better reflects how secure your API is.

For more details, see Audit score.

Self-registration and OAuth sign-in

You can now create a user account to 42Crunch Platform yourself.

  • Get an account when you want it, no need to contact the support or platform admin for it.
  • Everyone is welcome - individual users can register too, not just businesses.
  • Instead of creating yet another account, you can now also sign in securely with your GitHub, Google, or Azure account.

For more details, see Users and organizations.

UX improvements

There are also smaller additions to improve the user experience:

  • API Firewall instances page now has a refresh button so you can be sure to get the latest information.
  • The names of the access levels have been clarified: read-only access is now called limited access.

Known issues

This release has the following known issues.

Refresh of Security Audit reports

As the model of Security Audit has changed significantly, you must rerun the audit on your existing APIs to get an up-to-date audit report. This will also recalculate the audit score for your API, so do not be alarmed if that changes slightly.

For more details, see View audit reports.

Mandatory update of protection configurations

API Protection has been changed on a fundamental level. This means that you must reconfigure all existing protection configurations for your API Firewall instances, so that they pick up the changes. If you do not update protection configurations, API Firewall instances cannot run and protect your APIs.

If you do not reconfigure the protection configurations, you will see the following error in the API Firewall logs:

guardian: Syntax error on line 28 of /opt/guardian/conf/httpd.conf: Cannot load modules/libmod_guardian.so into server: Error loading shared library /opt/guardian/modules/libmod_guardian.so: No such file or directory

For more details, see Reconfigure API Protection.

OAuth support

Signing in with OAuth is working, but is still work in progress. Some use cases have not yet been implemented, so you may come across some unexpected errors and usability hiccups. OAuth sign-in will be improved in the next release.