42Crunch API Security Platform March 2021 Release

Today we are happy to announce the global availability of the latest version of the 42Crunch API Security Platform. We have updated our community deployment used by thousands of API developers worldwide, our IDE plugins, online tools, and deployments used by our enterprise customers.

Below is a summary of the biggest new features and improvements.

Complex OpenAPI Security Audit

42Crunch Security Audit is the foundation of API security. It is hard to reliably test and protect what you do not know.

42Crunch Security Audit includes 200+ static analysis security checks for OpenAPI format conformance, authentication, authorization, transport, data validation, and API security best practices. In the past, there were limitations to the complexity of the contracts that could be audited. Not anymore. Now any OpenAPI files up to 10 MB in file size can be audited.

We also made the security audit compatible with some OpenAPI format issues that in the past were blocking the audit. Thus, pretty much any API contracts sufficiently following the standard can now be analyzed.

This change is live both in our online platforms and all our plugins: IDE, CI/CD, repository, SonarQube.

Private Cloud Conformance Scan

42Crunch Conformance Scan is the dynamic testing part of the 42Crunch suite. It used to only run from the cloud, which created connectivity and client confidentiality issues. After all, many companies want to test internal or pre-production APIs that are not accessible from the internet and do not have a dedicated 42Crunch deployment.

Now, with Private cloud scan, you can run the 42Crunch scan agent on any computer by simply using the docker image or a centralized Kubernetes deployment and simply supply the id of the scan configuration and whatever custom parameters (like access token and endpoint URL) that you want to be changed for that run.

With that change, we are also making on-premises scan available to all our community users.

JWT, Security Headers, Rate Limit Protections

We have released a set of extensions to the OpenAPI standard that allow taking API runtime protection to the next level:


  • Rate limiting for protection by API key and IP address
  • Security header protections to automatically add security HTTP headers that your APIs need and remove headers coming from your implementation frameworks and potentially leaking sensitive information

Teams and Selective Sharing

A lot of our customers are managing security across thousands of APIs and hundreds of engineers. Thus, it is important to be able to segregate access.

42Crunch now allows you to group your organization members into teams and share API collections with specific teams and users with different level of access:

An example screenshot on editing the sharing of an API collection. The collection has been shared with one user and one team. The user has been granted Read/Write access to the collection, but the team only has Read-Only access to it.

Note: This feature is not available to individual free accounts. Upgrade your account to the Teams tier or above to use it.

Enterprise Single Sign-On

Security platforms need to be secured themselves. Now our enterprise customers can integrate 42Crunch with their corporate identity provider. Thus, users do not have to maintain a separate set of credentials, and security is improved with automated access revocation and corporate policies such as multi-factor authentication.

Other Improvements

There are many other smaller improvements in the release, including:

  • Trend reports to track security audit and scan result changes over time

See our release notes for more information on these and other improvements.

Latest Resources


Review of Major API Security Breaches from H1 2024

In this latest webinar, Anthony Lonergan, reviews some of the most recent high-profile API breaches that occurred in 2024.
Anthony will give a detailed overview of each attack and explain how the different vulnerabilities could be exploited to compromise the companies involved. He then practically demonstrates how companies can remediate against these vulnerabilities order to better protect their APIs.


The Scourge of SQL Injection for APIs

By Anthony Lonergan | June 25, 2024

In a report published in May 2024, cybersecurity firm Eclypsium outlined key vulnerabilities discovered in the F5 Big IP Next device. It’s another sobering reminder of the challenges faced in securing APIs when a highly regarded security company like F5 launches a new flagship product with all-too-familiar vulnerabilities […]


APIs are the core building block of every enterprise’s digital strategy, yet they are also the number one attack surface for hackers. 42Crunch makes developers’ and security practitioners' lives easier by protecting APIs, with a platform that automates security into the API development pipeline and gives full oversight of security policy enforcement at every stage of the API lifecycle.

Ready to Learn More?

Developer-first solution for delivering API security as code.