42Crunch Platform release, March 22, 2021

This 42Crunch API Security Platform release introduces the new, fully revamped version of 42Crunch Platform.

Migration to the new version of 42Crunch Platform

We have now migrated all user accounts to the new platform. We have sent you detailed information about the migration and when it was done.

You can find all your API collections and APIs in 42Crunch Platform as previously. API Security Audit has run automatically on your APIs, so you can see the latest audit report. However, any previous reports have not been migrated, so your audit history starts afresh.

API Conformance Scan is not run automatically and scan reports have not been migrated. You must rerun Conformance Scan yourself before you can view a scan report.

For API Protection, protection configurations or any API Firewall logs have not been migrated, and the migration has stopped any API Firewall instances you had running at the time. You must create new protection configurations for your APIs and redeploy the protection. Previous versions of the API Firewall image are no longer compatible with the platform (see Compatibility).

If you have created API tokens, for example, for CI/CD integration, they have been migrated and still work.

Change in platform version may have changed the URL where you access 42Crunch Platform:

  • If you are a user in the free community organization, no need to do anything: you still access the platform at https://platform.42crunch.com as before.
  • If you are business user, your platform URL has changed. This change affects all platform endpoints you use. For more details, see Platform URL.

New features

The following are the new features and improvements to the existing ones in this release.

Audit more complex API definitions

The Security Audit is now more robust, which has let us remove much of the limitations imposed on the complexity of the APIs.

  • Audit any OpenAPI definition as long as the file size is less than 10 MB.
  • View the code examples in the same format as your API definition (JSON or YAML).
  • Download the audit report as JSON from 42Crunch Platform.

We have made the following changes to the audit checks that may affect the audit score:

  • For OpenAPI Specification (OAS) v2 and v3:
    • Checks on properties that are not defined in the OAS have been moved from structural issues to semantic issues (semantic-unknown-property and (v3-semantic-unknown-property).
    • Checks for properties that the OAS requires have been split into mandatory properties that form the bare minimum for a valid OpenAPI definition (validation-property-required and v3-validation-property-required), and required properties in optional objects (semantic-property-required and v3-semantic-property-required).
    • Security Audit no longer raises false positives for schema-notype or v3-schema-notype.
  • For OAS v2 only:
    • The check on additionalProperties as Boolean value no longer impacts the audit score (warning-schema-additionalproperties-boolean).
    • The check on undefined schemes has been moved to semantic issues (semantic-schemes-undefined).
    • Security Audit now raises operation-securityrequirement-average instead of operation-securityrequirement-weak for Basic authentication.
  • For OAS v3 only:
    • The check v3-warning-media-type-schema has been deprecated.

There may also be some other minor changes that may have a slight impact on your audit score.

Test partial security requirements in Conformance Scan

If your API has multiple security requirements defined, for example, in one operation, Conformance Scan now tests them separately. This gives you more clarity on how the implementation for each of the security requirements performs in the scan.

We have also added a new test to Conformance Scan that checks that the content type of the returned API response is consistent with the content type defined in the API definition, to disambiguate when the received response is not valid against the schema that constrains it.

In addition, we have improved the following:

  • Parsing of produces in OAS v2 and media type objects in OAS v3
  • Generating and validating strings, numbers, and arrays
  • Content-Type marshalling

You can now also download the scan report as JSON from 42Crunch Platform.

Conformance Scan now limits the response body from the API to 8 KB. If the response body is longer, it is truncated. We have also clarified what kind of responses Conformance Scan expects to receive from an API. For more details, see Response validation.

Check the trend charts for Security Audit and Conformance Scan

You can now get at-a-glance view on how the score for your API in Security Audit and Conformance Scan has changed over time on the API Summary page.

An example screenshot showing the API summary page of the Pixi API.

Apply additional protections to your API definitions

API Firewall automatically enforces protection for your API out of the box. On top of this, you can apply additional protections to the OpenAPI definition of your API using x-42c security extensions.

  • Apply security as code, making it part of the source code of the API, and fine-tune the positive security model in API Firewall.
  • Add protections for your API, such as rate limiting, security headers, or JWT validation.
  • Choose where to apply protections: the whole API or particular operations, requests or responses.

For more details, see Protections and security extensions.

Switch off automatic contract enforcement in API Firewall

The allowlist that API Firewall uses to enforce the API contract and protect your API is by default always on and blocks all requests that do not conform to the OpenAPI definition of the API. However, if needed, you can now switch the allowlist off.

  • Use the extension x-42c-deactivate-allowlist to control when API Firewall applies allowlist and when it does not.
  • Use directional allowlists to keep the allowlist on for requests or responses while deactivating it for the other direction.

For more details, see Deactivate automatic contract enforcement in API Firewall.

Write API Firewall logs to standard output

You can now choose to write the logs from API Firewall instances as standard output (STDOUT) to be consumed by your downstream logging and monitoring services.

We have also included more information on the different logs API Firewall produces. For more details, see API Firewall logs.

Collaborate as teams

There is a new way of working in the platform: teams.

  • By default, all organizations have a team that includes everyone in that organization.
  • Organization administrators can create additional teams for specific groups of people.
  • Teams can collaborate on API collections and APIs.

For more details, see Teams.

Share APIs with more granularity

You have now more control over how and with whom you want to share your API collections and the APIs in them:

  • Share a collection with individual users, specific teams, or everyone in your organization.
  • Give other users read/write access to your API collections.
  • Grant different level of access to different users or teams.

You can also view who owns a particular API collection in your organization, for example, to request access to it.

For more details, see Sharing APIs and access level.

Find APIs faster

You can now search for APIs by their names or their UUIDs instead of navigating through API collections. Just click Find API in the main menu on the left.

Example screenshot of the Find API view, listing the APIs available to the user, the API collections they are in, and the owner of the collection.

For more details, see APIs and API collections.

View more information on your API collections at a glance

The API collection view has been redesigned so that you get an overview of it quickly, even when viewing the APIs in it:

  • The total number of APIs in the collection
  • The sharing status
  • The owner of the collection

In addition, you can also see if an API is protected and when the protection configuration of its API Firewall instance was last updated. See API Firewall.

User invitations

Organization administrators can now invite new users to join their organizations.

  • No need to create all accounts manually.
  • Send invites either as email with a secure token for each new user, or share a link.
  • When the user follows the instructions in the email or clicks on the link, they register a new account in your organization, with the permissions you predefined for them.

For more details, see Invitations.

Organization administrators can now also search user based on the permissions they have. See Manage user permissions.

Integrate 42Crunch Platform with your company's single sign-on

42Crunch Platform uses OpenID Connect (OIDC) for single sign-on (SSO). Enterprise organizations can integrate with their SSO solutions, and use their company SSO credentials when logging in to the platform. You can also combine non-SSO accounts with platform SSO for any users not included in your company SSO, such as external consultants.

For more details, see Single sign-on integration for businesses. If you are interested in integrating 42Crunch Platform with your SSO solution, or you would like to change your existing integration with us, contact our support or your 42Crunch account manager.

 

Additionally, the following preview (beta) features are available.

Run Conformance Scan locally

You can now pull the Conformance Scan image from Docker Hub and run it locally in your own environment.

  • Integrate Conformance Scan to your automated systems, like CI/CD.
  • Fine-tune the way scan runs with scan configurations.
  • Use environment variables for authentication details to test different methods with the same scan configuration.
  • Scan reports are stored in 42Crunch Platform so you still get all the information in one place.
  • Users in the free Community organization can also run the on-premises scan.

For more details, see Running Conformance Scan on premises.

42Crunch command-line interface

You can now use the features of 42Crunch Platform from CLI with the 42Crunch CLI client.

  • Create scripts and automate repetitive tasks in the platform.
  • Side-step the UI if you prefer working from CLI.
  • Perform batch operations.

For more details, see 42Crunch CLI client. To find out what you can do with the CLI and how to run different commands, after you have installed and configured the CLI client, run 42c --help.

Compatibility

This release is compatible with the following API Firewall images:

  • 42crunch/apifirewall:v1.0.5
    • Upgrade to openssl-1.1.1k (CVE-2021-3450, CVE-2021-3449).
  • 42crunch/apifirewall:v1.0.4
    • Compatibility with the new platform.
    • Improved error messages on unrecoverable errors.
    • Fixed memory leak on restart (schema regex).
    • Fixed possible crash with large response bodies.
    • Improved the engine performance of regular expressions.
    • Fixed the handling of form-data and x-www-form-urlencoded payloads with OAS v3.
    • Harmonized console logs.
    • Support for sending logs to STDOUT.

All previous image versions (except -preview images) have been deprecated and are not compatible with this version of the platform.

When you switch the version of the API Firewall image, you must reconfigure any existing protection configurations so that they work with the new version. For more details, see Reconfigure API Protection.

Known issues

This release has the following known issues.

Security Audit does not verify the format of vendor extensions

At the moment, Security Audit does not verify that you have used the correct format for vendor extensions to the OpenAPI Specification (OAS). According to the OAS, the field names of vendor extensions must begin with x-. However, Security Audit does not flag it as an error if the field name is missing the x-.

This will be fixed in a future release.

Security Audit does not check for missing HTTP status code 406

At the moment, Security Audit does not raise an issue if you have not defined a response for the HTTP status code 406. A HTTP 406 response indicates that the API cannot format data to match the media types that the calling client has indicated in the Accept header of the request.

This will be fixed in a future release.

Conformance Scan string limits may conflict with minLength or maxLength values

By default, Conformance Scan limits the maximum length for strings in the requests it sends during the scan to 4096. If the properties minLength or maxLength or the length limits in a regular expression that you have defined for an API operation in your API definition conflict with this limit, it causes issues during the scan.

If the minimum length required is longer than the string length limit allowed in Conformance Scan, the scan cannot create the happy path request for that operation to establish a baseline. If the maximum length allowed in the API is longer than the allowed string length limit in Conformance Scan, the scan can create the happy path request but not the actual request during the scan.

In both cases, the operation is shown as a skipped operation in the scan report, but for different reasons. You must fix the operation in your API definition before it can be successfully scanned.

We are working to improve this in the future.