Skip to main content

July

· 7 min read

NG Production Release Update - APIsec_cloud_7.7.2.0 ( July 09, 2026 )

This release introduces centralized API credential management, reusable global authentication profiles, OAuth PKCE support using Custom Authentication Chains, enhanced authentication validation for API-driven scans, and new Scan-and-Gate capabilities for CI/CD pipelines. Additional fixes improve BOLA scenario generation and polish SSRF detection reporting.

What's New

API Credentials Management

A new API Credentials page provides self-service management for both Personal Access Tokens (PATs) and OAuth Client Credentials. Users can create, manage, and revoke their own credentials, while administrators can manage credentials across the tenant.

Why this matters

  • Centralizes credential management in a single location
  • Simplifies API automation and integrations
  • Improves security through scoped, expiring credentials

Global Credentials

Global Credentials allow a single authentication profile to be shared across multiple application environments. Updating a global credential automatically applies the change wherever it is linked.

Why this matters

  • Simplifies credential rotation across applications
  • Reduces administrative effort and configuration drift
  • Maintains secure access through application-aware RBAC

OAuth PKCE Support

Custom Authentication Chains now support OAuth 2.0 Authorization Code flows with Proof Key for Code Exchange (PKCE). APIsec automatically manages PKCE parameters during authentication, simplifying configuration for supported identity providers.

Why this matters

  • Enables authenticated scanning of APIs protected by PKCE
  • Simplifies OAuth configuration for modern identity providers
  • Expands support for secure authentication workflows

Pre-Scan Authentication Validation

API-driven scans can now optionally validate authentication credentials before scan execution. When enabled, the platform performs a lightweight authentication check against the endpoint used during the most recent Test Authentication execution. If the credentials are rejected, the scan is terminated instead of proceeding with unauthenticated requests.

API callers can control this behavior using the ignoreAuthFailure flag in the scan request:

  • ignoreAuthFailure: false (default) — The scan is aborted if authentication validation fails.
  • ignoreAuthFailure: true — The scan continues even if authentication validation fails, allowing unauthenticated portions of the scan to proceed.

Why this matters

  • Detects authentication issues before scan execution
  • Prevents unnecessary scans caused by invalid credentials
  • Gives API integrations the flexibility to either fail fast or continue with partial coverage based on automation requirements

Note: This capability is currently opt-in for API-triggered scans. Existing UI, scheduled, and API scan behavior remains unchanged unless explicitly enabled.

Scan-and-Gate Enhancements

The Scan-and-Gate container now supports evaluating existing scan results without triggering a new scan and provides direct links from CI/CD failures to the corresponding findings in APIsec.

Why this matters

  • Accelerates CI/CD pipelines
  • Simplifies investigation of failed security gates
  • Improves developer productivity during remediation

Issue Fixes

BOLA Scenario Generation

Problem

Automatically generated BOLA scenarios could include duplicate entries for the same endpoint.

Solution

Scenario generation now removes duplicate endpoints based on HTTP method and path.

Impact

  • Produces cleaner BOLA scenario lists
  • Prevents duplicate test execution during BOLA scans

SSRF Detection Messaging

Problem

SSRF detection findings contained a typographical error in the assertion text.

Solution

The finding message has been corrected across all SSRF detection variants.

Impact

  • Improves the quality and professionalism of customer-facing reports

NG Production Release Update - APIsec_cloud_7.7.1.0 ( July 03, 2026 )

This release introduces Dark Mode, removes the 30-day access limit for PLG users, strengthens Hosted Agent security, and enhances authentication failure handling across supported authentication schemes. Additional fixes improve hosted-agent scheduling, protect sensitive data, enhance diagnostics for authentication failures, and improve the accuracy of Security Hub reporting.

What's New

Dark Mode

Dark Mode is now available across the platform. Users can switch between light and dark themes at any time from User Preferences. Currently, their preference isn't preserved across different browser sessions.

Why this matters

  • Improves readability in low-light environments
  • Reduces eye strain during extended sessions
  • Let users personalize their experience without administrator involvement

Partial Credential Enforcement

A new detection category identifies APIs that advertise multiple authentication requirements—such as Authorization headers, API keys, session cookies, or XSRF tokens—but enforce only a subset during request validation. Endpoints that accept requests with one or more required credential elements missing are flagged for review.

Why this matters

  • Detects authentication gaps that may be overlooked by traditional authentication tests
  • Helps ensure every required credential element is actively validated
  • Identifies weaknesses in composite authentication schemes involving multiple headers or cookies
  • Improves detection accuracy by validating both HTTP responses and application response content to minimize false positives

Improvements

Extended Access for PLG Users

The 30-day access restriction for PLG users has been removed. Existing users who were previously locked out automatically regain access without requiring any action from users, administrators, or support.

Why this matters

  • Enables uninterrupted product exploration
  • Eliminates unnecessary access interruptions
  • Provides a smoother onboarding experience

New Hosted Agent Release

A new Hosted Agent version introduces improved startup validation for mutual TLS (mTLS) certificate configuration. Certificate configuration issues are now detected during startup with clear, actionable error messages.

Why this matters

  • Detects certificate configuration issues earlier
  • Reduces scan failures caused by invalid mTLS configuration
  • Improves deployment reliability for private Hosted Agents

Note: Customers running Private Hosted Agents are encouraged to deploy the latest agent version to receive these improvements.

Enhanced Authentication Failure Handling

Authentication failure detection has been expanded to support Basic Authentication, API Key, and HMAC authentication schemes. A new option also allows scans to continue after authentication failures while clearly identifying unauthenticated requests.

Why this matters

  • Improves visibility into authentication configuration issues
  • Produces more reliable scan results across supported authentication methods
  • Allows teams to troubleshoot authentication failures while still collecting partial scan results

Issue Fixes

Scheduled Scans for Hosted Agent Applications

Problem

Scheduled scans for applications configured to use Hosted Agents could fail without appearing in Scan History.

Solution

Scheduled scans and Test Credentials now consistently use the configured Hosted Agent for scan execution.

Impact

  • Improves the reliability of scheduled scans
  • Ensures failures are visible in Scan History
  • Supports environments accessible only through Hosted Agents

Protected Header Values During Test Reachability

Problem

Confidential header values could be displayed in clear text during Test Reachability.

Solution

Sensitive header values remain masked across all application views, including Test Reachability.

Impact

  • Protects confidential authentication data
  • Improves the security of environment configuration workflows

Improved Test Credentials Diagnostics

Problem

Authentication and connectivity failures often returned a generic "Internal Server Error," making troubleshooting difficult.

Solution

Test Credentials now surfaces the target system's HTTP status code, response body, and diagnostic information when available.

Impact

  • Simplifies troubleshooting of authentication and connectivity issues
  • Provides clearer diagnostics for WAF, OAuth, networking, and access configuration problems

Security Hub Summary Accuracy

Problem

Security Hub summary metrics may display inaccurate counts of scans, endpoints, and vulnerabilities.

Solution

Security Hub now calculates summary metrics correctly and excludes informational findings from vulnerability totals.

Impact

  • Improves reporting accuracy
  • Aligns dashboard metrics with application-level reporting

Security Hub Timezone Reporting

Problem

Security Hub summary metrics displayed zero values for users in certain time zones.

Solution

Date calculations have been updated to ensure consistent reporting regardless of the timezone.

Impact

  • Provides accurate Security Hub metrics across all supported time zones
  • Ensures consistent reporting for global teams