42Crunch Platform release, June 9, 2020

This 42Crunch Platform release brings updates to API Security Audit, introduces x-42c vendor extensions to the OpenAPI Specification (OAS), and adds plenty of little improvements to make using 42Crunch Platform easier.

In addition, we have released an app for integrating Security Audit with CI/CD in Atlassian Bamboo, improved the CI/CD integration with Jenkins, and added instructions on deploying API Firewall to Amazon Elastic Container Service (ECS) on Fargate.

New features

The following are the new features and improvements to the existing ones in this release.

Updates to Security Audit checks

We have added a new check and re-evaluated the severity of two data validation checks:

  • The new check helps you ensure that your header parameters — that are not case-sensitive, unlike other parameters — are not considered equal. This check applies to both OAS v2 and v3.
  • The severity of the data validation checks for undefined schemas on parameters and media type objects has been increased slightly for OAS v3, so the audit score of your APIs might be different on subsequent audits.

In addition, Security Audit now supports patterned fields, such as 2XX, and no longer incorrectly flags them as an error.

x-42c vendor extensions to the OAS

42Crunch offers vendor extensions to OAS that enable you to provide additional instructions when running Security Audit:

  • x-42c-no-authentication lets you run Security Audit without authentication checks.
  • x-42c-sensitivity lets you specify how sensitive a particular operation in your API is to give more weight on it in the audit.

More vendor extensions will be added later.

Improvements to user experience

We have made several improvements to the user experience of 42Crunch Platform:

  • You are now notified on the platform UI when a new version is available. You can refresh your browser window and switch to the new version immediately. Or if you are in a middle of something, you can either choose to be reminded a bit later, or dismiss the notification to snooze it for two hours.
  • Based on user feedback, the order of the fields in the Import API dialog has been changed, and the name of the ID that is used to identify each OpenAPI definition in the platform has been clarified as API UUID. For more details, see Import APIs.
  • Security Editor is now available even if your OpenAPI definition exceeds the limits for complexity so that you can still fix it in the platform to meet the restrictions. For more details, see Security Editor.
  • Transaction logs are now cached to improve browsing them. For more details, see Trace Explorer

Bamboo integration for Security Audit

You can now automate Security Audit of your OpenAPI definitions directly in your CI/CD in Atlassian Bamboo. The Bamboo app REST API Static Security Testing plugin provides a custom task you can add to your Bamboo plan and configure as needed.

For more details, see CI/CD integrations.

Improvements to Jenkins integration for Security Audit

We have added more information on integrating Security Audit with Jenkins through the REST API Static Security Testing plugin:

  • Additional configuration that is needed if your Jenkins is running behind HTTP or HTTPS proxy
  • Support for declarative pipelines in Jenkins.

For more details, see Integrate Security Audit with Jenkins.

API Firewall in Amazon ECS on Fargate

You can now deploy API Firewall to Amazon ECS on Fargate to protect the APIs you have deployed there.

For more details, see Deploy API Firewall for your own APIs.

Compatibility

This release is compatible with the following API Firewall images:

  • 42crunch/apifirewall:v0.16.11
    • Upgrade to latest openssl security fix (1.1.1g)
    • Better logging of shared cache loading failure
    • Ability to configure timeout between API Firewall and backend endpoint distinctly
  • 42crunch/apifirewall:v0.16.13
    • A bug in response validation in OASv3 that caused API Firewall to load an empty schema instead of the one specified for some media types fixed
    • More robust UUID generator
  • 42crunch/apifirewall:v0.17.0
    • Improvements to the syntax of protections
    • Internal optimizations
  • 42crunch/apifirewall:v0.17.2
    • Deserialization of parameters defined as combined types (allOf, anyOf, oneOf) fixed
    • cookies_in and cookies_out moved in their own sections in transaction log
    • The format of transaction logs for security validation errors fixed to match what the UI expects
  • 42crunch/apifirewall:v0.17.3
    • Possible desynchronizations when communicating with the platform fixed

All previous image versions have been deprecated and are not compatible with this version of the platform.

When you switch the version of the API Firewall image, you must reconfigure any existing protection configurations so that they work with the new version. For more details, see Reconfigure API Protection.

Known issues

This release has the following known issues.

Removing an API does not stop the API Firewall instance

If you delete an API from 42Crunch Platform and that API has an active API Firewall instance protecting it, API Firewall continues to run unless you specifically stop it. Same happens if the protection token that the API Firewall instance uses is deleted or otherwise becomes invalid.

This will be fixed in a future release.