Skip to main content

April

· 19 min read

NG Production Release Update - APIsec_cloud_7.4.4.0 (April 29, 2026)

This release focuses on improving visibility, usability, and scan accuracy across the platform. Key updates include enhanced Developer Reports with full endpoint coverage, and a redesigned Hosted Agent dashboard for better operational visibility. Security testing has been expanded with new detection categories for SSL/TLS vulnerabilities and JWT header injection, helping teams identify critical risks earlier. Additionally, improvements to parameter hydration and UI consistency streamline workflows and reduce manual effort. Several fixes address issues in authentication handling, Postman imports, performance for large APIs, and reporting accuracy—resulting in a more stable and reliable testing experience.

Developer Report with Full Endpoint Coverage

The existing Developer Report has been enhanced to include all tested endpoints, not just those with active findings. It now also provides a clearer view of the last scan summary, overall test coverage, and OWASP API Security Top 10 coverage.

Why this matters

  • Gives developers complete visibility into what was tested, not just what failed
  • Helps teams understand coverage gaps and validate scan completeness
  • Makes it easier to track both active and resolved vulnerabilities

Coming Soon

  • A new Proof of Test Report will be introduced in May, providing detailed evidence of test execution to better reflect its purpose as compliance evidence.

Hosted Agent Dashboard Redesign

The Hosted Agents page has been redesigned to provide immediate visibility into agent health and activity. Inactive or Unresponsive Agents are surfaced first, so teams can quickly identify and resolve issues.

Why this matters

  • Quickly identify unhealthy agents without scanning the full list
  • Prevent scan disruptions with proactive certificate expiry alerts
  • Manage agents directly from a single view (restart, rotate token)
  • Improves operational efficiency for teams managing multiple environments

New Security Detection Categories

SSL/TLS Vulnerabilities

APIsec now detects:

  • Expired SSL certificates
  • Weak RSA key sizes below recommended standards

These checks run automatically for REST APIs with SSL enabled.

Why this matters

  • Helps identify critical transport-layer security issues early
  • Ensures APIs meet modern encryption standards
  • Reduces risk from misconfigured certificates

JWT Header Injection (jku / iss Misuse)

A new detection category identifies vulnerabilities where JWT validation can be bypassed by manipulating header fields such as jku or iss.

Why this matters

  • Detects high-impact authentication bypass risks
  • Validates secure token verification practices
  • Provides actionable evidence for remediation

Application Details Sidebar Consistency

The Application Details sidebar is now consistently available across Scan History, Scan Details, and RBAC Map pages.

Why this matters

  • Provides quick access to the application context across workflows
  • Reduces navigation effort
  • Improves overall usability

Team Management — Application Assignment

Assigning applications to teams previously required navigating to individual applications, making the process time-consuming and difficult to manage at scale. Team Management has now been enhanced to allow assigning and managing applications directly within the team configuration. Administrators and team owners can add or remove applications in one place. Assigned applications are listed in the team view, with an option to remove them, and updates are reflected immediately without a full-page reload.

Why this matters

  • Simplifies access management by centralizing team and application assignments
  • Eliminates the need to navigate across multiple application screens
  • Speeds up onboarding and team reconfiguration workflows
  • Improves efficiency for administrators and team owners managing access at scale

Register Applications Using HAR Files

You can now register applications using HAR (HTTP Archive) files, enabling onboarding of APIs captured from browser traffic or other tools that support HAR export. This is especially useful when API specifications or documentation are not available. The platform automatically parses the HAR file, converts it into an OpenAPI Specification (OAS), and extracts the environment base URL during registration. Users can review and update the base URL before completing the setup. Once registered, the generated OAS is available for download, allowing users to refine or extend it and reload the updated specification as needed.

Why this matters

  • Enables onboarding of undocumented or legacy APIs without existing specifications
  • Reduces dependency on API documentation to begin security testing
  • Accelerates application registration with automatic parsing and conversion
  • Provides flexibility to refine and reuse the generated API specification

Issue Fixes and Improvements

1. Custom Authentication — Nested Body Fields Preserved

  • Issue: Nested authentication fields using dotted keys caused sibling fields in the request body to be overwritten or removed.
  • Fix: Authentication values are now written correctly without affecting adjacent fields, ensuring valid request payloads during scans.

2. Postman Import — Request Body Preservation

  • Issue: Request bodies containing stringified JSON or special characters were dropped during import.
  • Fix: All request bodies, including those with embedded JSON or special characters, are now preserved correctly.

3. Postman Import — Collection Variables Not Visible

  • Issue: Large Postman collections failed to populate variables in the Parameters Configuration screen.
  • Fix: Variable handling has been updated to ensure all collection-level variables are correctly imported and displayed.

4. Endpoints Tab Performance for Large APIs

  • Issue: The Endpoints tab was slow or timing out for applications with large numbers of endpoints.
  • Fix: Performance improvements ensure faster load times and more reliable access, even with large API inventories.

5. Pagination Reset Issue

  • Issue: Navigating through results and interacting with the UI caused pagination to reset to page 1.
  • Fix: Pagination state is now preserved across interactions, improving usability for large datasets.

6. Team Management UI Issues

  • Issue: UI misalignment and disabled actions occurred when managing team members.
  • Fix: Layout and interaction issues have been corrected for a smoother team management experience.

7. Team Management Performance

  • Issue: Editing or canceling actions triggered unnecessary full reloads.
  • Fix: Only the affected section now refreshes, improving responsiveness and reducing load times.

8. Developer Report — Incomplete Evidence

  • Issue: Reports displayed only dry run data instead of actual test execution evidence.
  • Fix: Reports now include the full test chain, ensuring accurate and complete evidence for findings.

9. Custom Authentication — Sensitive Data Masking for Form-Encoded Requests

  • Issue: When using application/x-www-form-urlencoded request bodies in custom authentication, sensitive values (such as client_secret) were displayed in clear text during Test Authentication, specifically in the request body field and the extracted values table.
  • Fix: Sensitive fields are now masked in both the request body display and the extracted values table during Test Authentication.

NG Production Release Update - APIsec_cloud_7.4.3.0 (April 20, 2026)

This release improves platform reliability, scan accuracy, and troubleshooting visibility. Key updates include detailed reachability diagnostics, real-time parameter discovery, improved Postman collection handling, and intelligent parameter encoding for more accurate testing 👕. Performance enhancements significantly improve RBAC configuration for large environments, and platform resilience is strengthened with automatic hosted agent fallback. Several critical issues related to Security Hub, authentication handling, request routing, and scan accuracy have also been resolved, improving overall stability and confidence in scan results.

Parameter discovery has been improved to provide better visibility and faster feedback during execution.

Results are now streamed incrementally as endpoints are processed, allowing users to see updates in real time instead of waiting for the full discovery to complete. Additionally, the parameter management view now includes metadata, including the hydration strategy used for each parameter and the current execution status.

Why this matters

  • Improves visibility into parameter discovery progress and behavior
  • Reduces wait time for initial results, especially for large APIs
  • Simplifies troubleshooting and validation
  • Enhances usability when working with large endpoint sets

Enhanced Parameter Visibility in UI

The parameter management view has been enhanced with additional metadata and improved filtering capabilities.

Users can now view the hydration strategy applied to each parameter and track the execution status of parameter discovery.

Why this matters

  • Improves transparency into parameter discovery behavior
  • Simplifies troubleshooting and validation
  • Enhances usability for large APIs

New Security Test Category: Mass Assignment

A new Mass Assignment test category has been introduced to detect vulnerabilities where APIs unintentionally allow modification of restricted or sensitive fields.

This category uses a two-step assignment-and-confirmation approach to accurately identify exploitable scenarios. Findings are classified into severity tiers and include supporting evidence to help validate and prioritize issues. Results are also integrated into Security Hub and reporting.

Why this matters

  • Enables the detection of a critical and commonly overlooked API vulnerability
  • Improves accuracy through confirmation-based validation
  • Provides clear, evidence-backed findings with severity prioritization
  • Ensures visibility in Security Hub and compliance reporting

Enhanced GraphQL Directive Authorization Testing

GraphQL security testing has been enhanced to better detect authorization weaknesses in APIs using directive-based access control.

The platform now evaluates operations protected by directives (such as @auth) across different permission levels, including mutations, subscriptions, and field-level access. This enables detection of cases where lower-privileged users can bypass intended access restrictions 🔐 .

Why this matters

  • Improves detection of authorization bypass in GraphQL APIs
  • Expands coverage beyond queries to include mutations and subscriptions
  • Validates the enforcement of directive-based access controls
  • Helps identify privilege escalation risks across user roles

Structured Reachability Failure Analysis

Diagnosing why an API was unreachable previously required manual investigation or support involvement because of generic error messages.

This release introduces detailed, step-by-step reachability diagnostics across the full execution flow. When an API instance cannot be reached, users now see exactly which stage failed (DNS, TCP, SSL, HTTP, or authentication).

Why this matters

  • Enables self-service troubleshooting without relying on support
  • Significantly reduces time to identify connectivity issues
  • Provides clear, actionable failure points instead of generic errors

Improved Postman Collection Conversion

Postman collection conversion has been streamlined to improve reliability and performance.

The conversion process now runs directly within the platform, removing dependency on external services and improving handling of non-standard collection formats.

Why this matters

  • Faster application onboarding with no external service dependency
  • Improved compatibility with real-world Postman collections
  • Reduces the need for manual pre-processing of collections

RBAC Configuration Performance Improvements

RBAC configuration handling has been optimized for large environments.

Batch operations now run concurrently, and partial failures are surfaced rather than silently ignored.

Why this matters

  • Significantly reduces load times for large tenants
  • Improves visibility into configuration failures
  • Enhances usability of RBAC management workflows

SSO Integration Support for Ping Identity

Single Sign-On (SSO) support has been extended to include Ping Identity, enabling organizations to integrate APIsec with their existing identity provider for seamless authentication and user management.

The integration supports standard SAML-based authentication flows, allowing users to securely access the platform using their enterprise credentials.

Why this matters

  • Expands compatibility with enterprise identity providers
  • Simplifies user onboarding and access management
  • Improves security through centralized authentication
  • Aligns with enterprise SSO standards and practices

Some things in this release aren’t just for reading 👀

Issue Fixes and Improvements

1. Improved Handling of Nullable Schema Definitions

  • Value generation for schemas using anyOf with nullable branches has been stabilized to prevent incorrect type selection.

2. Security Hub Crash for Non-English Locales

  • Issue: Security Hub failed to load for users with non-English locales due to localized date formatting incompatibility.
  • Fix: Date handling has been corrected to support all locales, ensuring consistent behavior across regions.

3. Incorrect Handling of Dotted Keys in Custom Authentication

  • Issue: Custom authentication fields using dotted notation were incorrectly mapped, resulting in authentication failures.
  • Fix: Nested field handling has been corrected to ensure authentication values are applied to the correct structure.

4. Incorrect Request Routing for URI-Unsafe Characters

  • Issue: Requests containing certain characters in the URL path were incorrectly routed, leading to invalid test execution.
  • Fix: Request handling has been corrected to preserve the intended request path.

5. Encoding Metadata Handling Failure

  • Issue: Encoding-related metadata caused failures during test execution due to incompatible data handling.
  • Fix: Metadata handling has been corrected to ensure encoding intelligence is properly utilized during scans.

6. GraphQL Request Construction Issues

  • Issue: Certain GraphQL test cases generated malformed request payloads.
  • Fix: Request construction has been corrected to ensure valid payload generation across GraphQL tests.

7. Missing Scan Context in Logs

  • Issue: Scan identifiers were not consistently included in logs, making traceability difficult.
  • Fix: Logging context has been corrected to ensure scan identifiers are consistently captured.

8. Incorrect Test Execution via “Scan Now”

  • Issue: Triggering scans for specific categories could result in incorrect tests being executed.
  • Fix: Test mapping has been corrected to ensure accurate execution of selected categories.

9. Loss of Reachability Diagnostic Details

  • Issue: Detailed reachability diagnostics were not propagated to the UI, resulting in generic error messages.
  • Fix: Diagnostic details are now preserved and returned, enabling detailed visibility into failures.

10. Instance Name Display Issue

  • Issue: Instance names were incorrectly populated in certain onboarding scenarios.
  • Fix: Instance naming logic has been corrected.

NG Production Release Update - APIsec_cloud_7.4.2.0 (April 14, 2026)

This release focuses on improving authentication reliability, strengthening automation capabilities, enhancing access control integration, and improving overall platform stability.

Key updates include improved handling of custom authentication failures, expanded API token capabilities for configuration management, and support for SSO-based provisioning of Viewer (Auditor) role users. Additionally, enhancements to query parameter handling improve security testing coverage for APIs that use complex query formats, such as SCIM. The release also includes targeted fixes to improve notification reliability and ensure consistent platform behavior across different execution environments.

Improved Query Parameter Handling for SCIM APIs

Security testing for APIs using SCIM-style query parameters has been enhanced to support more flexible query handling.

Enhancement: The platform now adapts how query parameters are processed based on API behavior, allowing effective testing of APIs that require non-standard query formats.

Impact:

  • Improves test coverage for SCIM-based APIs
  • Enables more meaningful injection testing within query parameters
  • Supports APIs with non-standard query parsing behavior

Manage Instance Headers via API Tokens

Instance-level headers can now be managed programmatically using API tokens.

Enhancement: Teams can retrieve and update instance headers through API calls, enabling integration with automated workflows.

Impact:

  • Enables CI/CD-driven configuration management
  • Reduces manual updates
  • Ensures secure handling of confidential headers

SSO Support for Viewer (Auditor) Role

The Viewer (ROLE_AUDITOR) role now supports Single Sign-On (SSO) integration.

Enhancement: Organizations can provision and manage Viewer users through their identity provider.

Impact:

  • Simplifies the onboarding of read-only users
  • Aligns access control with enterprise identity systems
  • Enables automated user provisioning

Improved Visibility for Custom Authentication Failures

Issue:
Custom Authentication failures during scan execution were not consistently reported across different execution environments.

Fix:
Custom Authentication resolution failures are now surfaced consistently across both public and private hosted agent executions.

Impact:

  • Prevents scans from running when authentication is unresolved or the Hosted Agent is unresponsive
  • Improves debugging of authentication workflows
  • Ensures consistent behavior across execution environments

Upcoming Improvement:
A UI option will allow associating instance URLs with specific hosted agents to ensure correct execution routing during test authentication and dry runs.

Slack Notifications Not Sent After Scan Completion

Issue:
Slack notifications weren't being delivered after scan completion due to a regression.

Fix:
Notification workflows were corrected to ensure alerts are sent reliably upon scan completion.

Impact:

  • Restores visibility into scan completion status
  • Ensures timely notifications for security teams

NG Production Release Update - APIsec_cloud_7.4.1.0 ( April 06, 2026 )

This release focuses on improving usability, reliability, and collaboration across the platform. Key enhancements help teams keep API inventories automatically up to date, simplify sharing vulnerabilities via direct links, and reduce operational overhead with performance and stability improvements.

Several fixes also address real customer workflow challenges, including improving scan reliability for large APIs, ensuring reports generate consistently, strengthening handling of sensitive authentication data, improving RBAC usability, and ensuring reporting metrics remain accurate.

Together, these updates aim to make security testing more predictable, improve collaboration between security and engineering teams, and reduce the manual effort required to maintain accurate testing coverage.

Automatic API Specification Reload for Auto-Onboarded Applications

Keeping API inventories up to date can be difficult when APIs evolve frequently in gateways. Security teams often discovered that new endpoints were not being tested until someone manually reloaded the specification.

APIsec now automatically schedules API specifications weekly for applications onboarded through supported gateways. This helps ensure newly added endpoints are discovered, deprecated ones are removed, and scan coverage stays aligned with the actual API surface without requiring manual intervention.

Why this matters

  • Reduces manual maintenance for large API portfolios
  • Helps ensure new endpoints are not missed in security testing
  • Keeps scan coverage aligned with the latest gateway definitions

Supported integrations include AWS API Gateway, Azure APIM, MuleSoft, SwaggerHub, and Postman.

Enhancement – Direct Links to Individual Vulnerabilities

Security and development teams frequently need to share specific findings during triage discussions, remediation reviews, or audits. Previously, sharing a vulnerability required sending the application link and asking the recipient to manually locate the finding, which slowed collaboration.

APIsec now lets users link directly to individual vulnerabilities, making it easier to share exact findings with team members and stakeholders.

Why this matters

  • Quickly share specific vulnerabilities without extra navigation
  • Improves collaboration between security and engineering teams
  • Reduces time spent searching for individual findings during reviews

Issue Fixes and Improvements

  1. Improved Reliability of Parameter Hydration from Traffic Captures
    • Some parameters captured in Bolt traffic files weren't applied consistently, which could reduce scan depth for certain endpoints.
    • APIsec now ensures captured headers and parameters are applied correctly across endpoints, improving test coverage and reducing manual parameter configuration.
  2. Sensitive Authentication Fields Now Masked in Custom Authentication
    • Sensitive fields used in custom authentication workflows could previously appear in plain text during test authentication.
    • Sensitive inputs are now masked in the interface to prevent accidental exposure during onboarding, reviews, or screen sharing.
  3. Security Hub Metrics Now Respect BU and Team Filters Consistently
    • The Unique Endpoints tile in Security Hub didn't fully reflect the applied filters, which could cause confusion in reporting.
    • Metrics now consistently update based on selected Business Unit and Team filters, improving reporting accuracy.
  4. Faster Scan Execution with Updated Private Hosted Agent Image
    • Customers running scans through private hosted agents experienced slower execution times in some environments.
    • An updated hosted agent image (apisec/hostedagent:2026-04-03-67) improves scan execution performance and stability.
  5. Developer Report Generation Reliability Improvements
    • SSO users were unable to generate Developer Reports due to a workflow issue where the report never completed processing.
    • Report generation now completes reliably, allowing teams to access technical remediation reports when needed.
  6. Integration Status Now Reflects Credential Health Accurately
    • Issue tracker integrations and Notifications could appear healthy even after credentials have expired.
    • Connection status now correctly reflects credential validity, so teams can quickly identify integration issues.
  7. Improved Stability for Large-Scale Scans
    • In some cases, with very large APIs, scans can get stuck in progress and cannot be stopped manually.
    • Improvements now ensure:
      • Stuck scans are automatically marked as failed when appropriate
      • Users can abort scans when needed
    • Large API scans complete more reliably
  8. RBAC Map Performance Improvements
    • Projects with many roles experienced slow RBAC map loading times, making it difficult to review authorization coverage.
    • Performance improvements now allow RBAC maps to load more reliably, even for larger role configurations.