42Crunch Platform release, October 8, 2021

This 42Crunch API Security Platform release adds customization options for API Security Audit and API Conformance Scan, and brings new environment variables for API Firewall.

New features

The following are the new features and improvements to the existing ones in this release.

Customizations for Security Audit and Conformance Scan

Organization administrators can now customize how the features in 42Crunch Platform work. You can now add rules to change the behavior of Security Audit and Conformance Scan, such as:

Skip checks and tests that have proven problematic in your environment.
List response codes that you know to be expected in your framework but that differ from what Conformance Scan expects by default.
Add custom headers to the requests that Conformance Scan sends.

To apply the rules to your API, you tag them with the corresponding tag. Each category:tag pair can apply a single customization rule, and you choose the applying tag when you define each rule.

For more details, see Customizations.

New checks to Security Audit

Security Audit has new checks and a new group in data validation checks. The group "Paths" now includes the following issues on empty path items. Although the OpenAPI Specification (OAS) allows empty path items, our API Protection cannot fully protect something it cannot see, and thus requires the canonical version of your OpenAPI definition. For more details, see the following:

For OAS v2: Path item is empty
For OAS v3: Path item is empty

As empty path items affect protecting your API, it must be reflected in its data definition quality. Thus, these new checks can reduce points and affect the audit score of your APIs.

We have also moved the following checks from semantic issues to best practices, so that they no longer prevent you from running Conformance Scan:

For OAS v2:
- At least one host should be defined
- Schemes should be defined
For OAS v3:
- At least one server should be defined

These changes do not affect your audit scores.

We have also added $ref to the list of allowed properties in securityScheme, and the executive dashboards now correctly include points from both data validation and security when calculating average scores.

Improvements to reports and logs when running Conformance Scan on premises

If you click on the scan results in the API list in a collection, the UI automatically directs to the correct report regardless of if the scan was run in 42Crunch Platform or on-premises.

In addition, results from on-premises scan are now taken into account in the executive dashboards when you use the latest available Docker image for Conformance Scan (see Conformance Scan images). The scan trends on the API summary tab reflect the results from on-premises scans regardless of the version of the Conformance Scan image.

We have also fixed a bug in string value generation where the default values for scan could conflict with set maxLength value. Conformance Scan now successfully takes the defined minLength and maxLength into account when generating string values used in the tests.

Blocking levels for API Firewall

The on/off switch for non-blocking mode in API Firewall has been replaced with more granular control through blocking levels.

Define what you want API Firewall to block and what only to report to help in troubleshooting.
Specify separate treatment for requests to APIs protected by API Firewall and requests to unknown APIs.

For more details, see Set API Firewall blocking level.

Compatibility

This section lists the compatible Docker images for some of the features of 42Crunch API Security Platform, as well as other possible compatibility details.

API Firewall images

This release is compatible with the following API Firewall images:

42crunch/apifirewall:v1.0.11
- GUARDIAN_BLOCKING_LEVEL and GUARDIAN_DEFAULT_API_BLOCKING_LEVEL environment variables.
- Upgrade to Apache httpd 2.4.50 (CVE-2021-41524, CVE-2021-41773)
42crunch/apifirewall:v1.0.10
- Fixed cookie attribute parsing in responses.
- Upgrade to Apache httpd 2.4.48 (CVE-2021-33193, CVE-2021-34798, CVE-2021-36160, CVE-2021-39275, CVE-2021-40438).
- Updated platform CA chain.
42crunch/apifirewall:v1.0.9-1
- Fixed handling UTF-8 patterns in JSON schemas.
- Upgrade to openSSL-1.1.1l (CVE-2021-3711, CVE-2021-3712).
- Updated platform CA chain.
42crunch/apifirewall:v1.0.8-1
- Fixed the parsing of array parameters with OASv2 when no collectionFormat is specified.
- Fixed sending transaction logs to the platform when log destination is set to PLATFORM+STDOUT.
- Updated platform CA chain.

All previous image versions have been deprecated and are not compatible with this version of the platform.

When you switch the version of the API Firewall image, you must reconfigure any existing protection configurations so that they work with the new version. For more details, see Reconfigure API Protection.

Conformance Scan images

This release is compatible with the following Conformance Scan images for running it on-premises:

42crunch/scand-agent:v1.12.2
- Customization with scan rules.
- Fixed a bug in creating string values where the default value could conflict with set maxLength.
- Results from scans reflected in the executive dashboards in 42Crunch Platform.
42crunch/scand-agent:v1.11.1
- Fixed a bug in scan occasionally generating a null body
- Fixed a bug in the injection schema-uniqueitems-unique-scan.
- Support for null values for the extension x-42c-sample.
42crunch/scand-agent:v1.10.0
- Fixed bug with default request timeout.
42crunch/scand-agent:v1.9.4
- Fixed serialization of array objects in query string parameters.
- Changed behavior in log upload.
42crunch/scand-agent:v1.8.6
- Fixed happy path request generation with the value from default or x-42c-sample.
42crunch/scand-agent:v1.8.3
- Removed the unnecessary JSON complexity check.
- Scan configurations can be pushed with API key in addition to session ID.
42crunch/scand-agent:v1.8.1
- Improved JSON schema library.
- Improved messages.
- Case-insensitive header name evaluation.
- Option to reuse values sent during the happy path requests as a basic example (can cause problems if the API has some value constraints, like unique ID, email, or name, as the scan could be unable to generate a value for a really specific case).
42crunch/scand-agent:v1.7.4
- Fixed handling of multipleOf when its range is [0;0.50].
42crunch/scand-agent:v1.6.0
- This version replaces 42crunch/scand-agent:v1.5.2-bugfix01.
- Environment variables for communication through proxy to both platform and APIs.
- Scan handles null value in API response.
42crunch/scand-agent:v1.5.1
- New test partial_security_accepted for testing how missing security requirements are handled.
- TLS configuration allows a remote server to repeatedly request renegotiation.
- Improved handling of slashes (/) and wildcards like application/* in test requests and JSON encoder.
- Masked credentials and other small improvements in scan logs.
- More details shown when a happy path request fails
- Improved generation of strings, numbers, integers, and arrays.
- Support for proxy configuration.

Known issues

This release has the following known issues.

Customization rules cannot be edited yet

Currently, it is not possible to edit a customization rule for Security Audit or Conformance Scan after it has been created. If you want to make changes to a rule, you must delete it and create a new one.

This will be fixed in a future release.

Skipped HTTP methods not excluded from Conformance Scan

Excluding HTTP methods from the scan tests in a scan rule is not yet working: the scan still generates tests for these HTTP methods.

This will be fixed in a future release.

API Firewall blocking levels available only as environment variables

Setting the blocking levels for an API Firewall instance is at the moment only possible by manually adding the environment variable to your deployment files.

We are working to include this on the UI in a future release.

Promoting organization administrators resets sharing permissions

Currently, if you promote new organization administrators, their permissions to share API collections are automatically reset to sharing only with named teams and users. If you want to allow the new organization administrators to share with everyone in your organization again, you must re-enable it in the user permissions. The permissions of existing organization administrators are not affected.

This will be fixed in a future release.

Automatic sharing with everyone not possible for new SSO users

Currently, the sharing permissions for new users onboarded to 42Crunch Platform through single sing-on (SSO) integration are automatically set to sharing only with named teams and users. If you want to allow the users to share with everyone in your organization, you must enable it in the user permissions. The permissions of existing users in your organization have been retained as they were.

This will be fixed in a future release.

Conformance Scan string limits may conflict with minLength or maxLength values

By default, Conformance Scan limits the maximum length for strings in the requests it sends during the scan to 4096. If the properties minLength or maxLength or the length limits in a regular expression that you have defined for an API operation in your API definition conflict with this limit, it causes issues during the scan.

If the minimum length required is longer than the string length limit allowed in Conformance Scan, the scan cannot create the happy path request for that operation to establish a baseline. If the maximum length allowed in the API is longer than the allowed string length limit in Conformance Scan, the scan can create the happy path request but not the actual request during the scan.

In both cases, the operation is shown as a skipped operation in the scan report, but for different reasons. You must fix the operation in your API definition before it can be successfully scanned.

Regular expression lookaheads may cause issues

If your API definition has regular expressions with either positive or negative lookaheads defined, these may cause weird behavior, for example, in Conformance Scan.