42Crunch Platform release, April 14, 2021

This 42Crunch API Security Platform release improves and restructures the checks for authentication methods in API Security Audit and the configuration of API Conformance Scan to run behind a proxy on your premises.

New features

The following are the new features and improvements to the existing ones in this release.

Revamped security checks for authentication methods in Security Audit

We have redesigned how Security Audit checks the quality of the security schemes and requirements in your OpenAPI definition:

• More keys, more granularity: we have added over 100 new checks dedicated for each authentication method (OAuth 2.0. flows, various HTTP authentication methods, API keys) that the OpenAPI Specification (OAS) v2 and v3 allow, and whether the credentials for them are transported over HTTP and HTTPS.
• Better insight into the quality of the security in your API definition. For example, not all OAuth 2.0 flows are equal.
• All weight is now on the actual risks when you use an authentication method in a security requirement. Security scheme definitions that are not used in your API no longer take away points from your audit score. This could impact the security score for your existing APIs.
• Security Audit also now raises an issue if the top- level securityDefinitions (OAS v2) or the securitySchemes under components(OAS v3) is missing.
• The previous checks on access tokens and credentials (issue IDs ending in -average, -weak, and ‑clearcredentials) have been deprecated and are no longer raised in Security Audit, but the articles have been retained on the UI so you can still see their details in your existing audit reports.

The restructuring has brought some slight changes into what issues are raised and to their severity, so you may see some changes to the audit score of your APIs when they are audited again.

In addition, the checks on the property names and values constrained by a pattern in the OAS v2 have been moved to semantic issues:

• semantic-property-pattern for url and email properties
• semantic-host-pattern for the host property
• semantic-basepath-pattern for the basePath property

We have also clarified how Security Audit calculates the audit score. For more details, see Audit score.

Improved proxy configuration for on-premises scan

Conformance Scan now provides separate environment variables for connections when run on your premises and behind HTTP or HTTPS proxy:

• HTTP_PROXY and HTTPS_PROXY when Conformance Scan must connect to 42Crunch Platform through proxy
• HTTP_PROXY_API and HTTPS_PROXY_API when Conformance Scan must connect to the API to be scanned and the backend service through proxy

See Scan API conformance.

A bug in Conformance Scan caused it to fail to validate a response body that contained the value null. This has now been fixed and Conformance Scan handles response bodies with null values without problems.

We have also clarified why Conformance Scan skips issues in a scan and what you can do about it. For more details, see Happy path requests.

Improvement to user experience

In addition, we have also done some small improvements to the user experience:

• The scan report page now shows when your API was last scanned.
• Changing the search criteria (name or UUID) in Find API automatically clears the search field for you.
• Scrolling with the mouse wheel in Security Editor in Firefox has been fixed.

Compatibility

This section lists the compatible Docker images for some of the features of 42Crunch API Security Platform, as well as other possible compatibility details.

API Firewall images

This release is compatible with the following API Firewall images:

• 42crunch/apifirewall:v1.0.5
  • Upgrade to openssl-1.1.1k (CVE-2021-3450, CVE-2021-3449).
• 42crunch/apifirewall:v1.0.4
  • Compatibility with the new platform.
  • Improved error messages on unrecoverable errors.
  • Fixed memory leak on restart (schema regex).
  • Fixed possible crash with large response bodies.
  • Improved the engine performance of regular expressions.
  • Fixed the handling of form-data and x-www-form-urlencoded payloads with OAS v3.
  • Harmonized console logs.
  • Support for sending logs to STDOUT.

All previous image versions have been deprecated and are not compatible with this version of the platform.

When you switch the version of the API Firewall image, you must reconfigure any existing protection configurations so that they work with the new version. For more details, see Reconfigure API Protection.

Conformance Scan images

This release is compatible with the following Conformance Scan images for running it on-premises:

• 42crunch/scand-agent:v1.6.0
  • This version replaces 42crunch/scand-agent:v1.5.2-bugfix01.
  • Environment variables for communication through proxy to both platform and APIs (see Improved proxy configuration for on-premises scan).
  • Scan handles null value in API response.
• 42crunch/scand-agent:v1.5.1
  • New test partial_security_accepted for testing how missing security requirements are handled.
  • TLS configuration allows a remote server to repeatedly request renegotiation.
  • Improved handling of slashes (/) and wildcards like application/* in test requests and JSON encoder.
  • Masked credentials and other small improvements in scan logs.
  • More details shown when a happy path request fails
  • Improved generation of strings, numbers, integers, and arrays.
  • Support for proxy configuration.

Known issues

This release has the following known issues.

Bug in Find API

At the moment, if you try to search your APIs by UUID in Find API and you enter an incorrect UUID, Find API does not handle the error properly and fails to load APIs. This will be fixed in the next release.

Security Audit does not verify the format of vendor extensions

At the moment, Security Audit does not verify that you have used the correct format for vendor extensions to the OpenAPI Specification (OAS). According to the OAS, the field names of vendor extensions must begin with x-. However, Security Audit does not flag it as an error if the field name is missing the x-.

This will be fixed in a future release.

Security Audit does not check for missing HTTP status code 406

At the moment, Security Audit does not raise an issue if you have not defined a response for the HTTP status code 406. A HTTP 406 response indicates that the API cannot format data to match the media types that the calling client has indicated in the Accept header of the request.

This will be fixed in a future release.

Conformance Scan string limits may conflict with minLength or maxLength values

By default, Conformance Scan limits the maximum length for strings in the requests it sends during the scan to 4096. If the properties minLength or maxLength or the length limits in a regular expression that you have defined for an API operation in your API definition conflict with this limit, it causes issues during the scan.

If the minimum length required is longer than the string length limit allowed in Conformance Scan, the scan cannot create the happy path request for that operation to establish a baseline. If the maximum length allowed in the API is longer than the allowed string length limit in Conformance Scan, the scan can create the happy path request but not the actual request during the scan.

In both cases, the operation is shown as a skipped operation in the scan report, but for different reasons. You must fix the operation in your API definition before it can be successfully scanned.

We are working to improve this in the future.