42CRUNCH BLOG


42Crunch API Security Platform March 2021 Release


Today we are happy to announce the global availability of the latest version of the 42Crunch API Security Platform. We have updated our community deployment used by thousands of API developers worldwide, our IDE plugins, online tools, and deployments used by our enterprise customers.

Below is a summary of the biggest new features and improvements.

Complex OpenAPI Security Audit

42Crunch Security Audit is the foundation of API security. It is hard to reliably test and protect what you do not know.

42Crunch Security Audit includes 200+ static analysis security checks for OpenAPI format conformance, authentication, authorization, transport, data validation, and API security best practices. In the past, there were limitations to the complexity of the contracts that could be audited. Not anymore. Now any OpenAPI files up to 10 MB in file size can be audited.

We also made the security audit compatible with some OpenAPI format issues that in the past were blocking the audit. Thus, pretty much any API contracts sufficiently following the standard can now be analyzed.

This change is live both in our online platforms and all our plugins: IDE, CI/CD, repository, SonarQube.

On-Premises Conformance Scan

42Crunch Conformance Scan is the dynamic testing part of the 42Crunch suite. It used to only run from the cloud, which created connectivity and client confidentiality issues. After all, many companies want to test internal or pre-production APIs that are not accessible from the internet and do not have a dedicated 42Crunch deployment.

Now, with on-premises scan, you can run the 42Crunch scan agent on any computer by simply using the docker image or a centralized Kubernetes deployment and simply supply the id of the scan configuration and whatever custom parameters (like access token and endpoint URL) that you want to be changed for that run.

With that change, we are also making on-premises scan available to all our community users.

JWT, Security Headers, Rate Limit Protections

We have released a set of extensions to the OpenAPI standard that allow taking API runtime protection to the next level:

 

  • Rate limiting for protection by API key and IP address
  • Security header protections to automatically add security HTTP headers that your APIs need and remove headers coming from your implementation frameworks and potentially leaking sensitive information

Teams and Selective Sharing

A lot of our customers are managing security across thousands of APIs and hundreds of engineers. Thus, it is important to be able to segregate access.

42Crunch now allows you to group your organization members into teams and share API collections with specific teams and users with different level of access:

An example screenshot on editing the sharing of an API collection. The collection has been shared with one user and one team. The user has been granted Read/Write access to the collection, but the team only has Read-Only access to it.

Note: This feature is not available to individual free accounts. Upgrade your account to the Teams tier or above to use it.

Enterprise Single Sign-On

Security platforms need to be secured themselves. Now our enterprise customers can integrate 42Crunch with their corporate identity provider. Thus, users do not have to maintain a separate set of credentials, and security is improved with automated access revocation and corporate policies such as multi-factor authentication.

Other Improvements

There are many other smaller improvements in the release, including:

  • Trend reports to track security audit and scan result changes over time

See our release notes for more information on these and other improvements.