{"id":10047,"date":"2021-04-16T16:16:12","date_gmt":"2021-04-16T15:16:12","guid":{"rendered":"https:\/\/staging-site.42crunch.com\/?p=10047"},"modified":"2022-09-24T13:12:58","modified_gmt":"2022-09-24T12:12:58","slug":"42crunch-api-security-platform-april-2021-release","status":"publish","type":"post","link":"https:\/\/staging2022.42crunch.com\/42crunch-api-security-platform-april-2021-release\/","title":{"rendered":"42Crunch API Security Platform April 2021 Release"},"content":{"rendered":"<p>We have just updated our API Security platform, and I want to tell you all about it.<\/p>\n<h2>100+ New Security Audit Checks<\/h2>\n<p>Security Audit checks related to authentication just had a major revamp.<\/p>\n<p>Now instead of generic articles on insecure authentication methods, we provide specific information for each case, including:<\/p>\n<ul>\n<li>API Key passed as a query parameter<\/li>\n<li>API Key passed in a header<\/li>\n<li>API Key in a cookie<\/li>\n<li>Basic authentication<\/li>\n<li>Bearer authentication<\/li>\n<li>Digest authentication<\/li>\n<li>OAuth1<\/li>\n<li>Kerberos and NTLM authentication<\/li>\n<li>IANA registered authentication: HTTP Origin-Bound Authentication (HOBA), Mutual Authentication, Salted Challenge Response (SHA-1, SHA-256), Voluntary Application Server Identification (VAPID) for Web Push<\/li>\n<li>OAuth2 Implicit Grant<\/li>\n<li>OAuth2 Resource Owner Password Grant<\/li>\n<li>OAuth2 Client Credentials\u00a0Grant<\/li>\n<li>OAuth2 Authorization Code\u00a0Grant<\/li>\n<\/ul>\n<p>All of these get checked for OpenAPI 2.0 and OpenAPI 3.0 standards, and different articles (and severity levels) are used depending on HTTP and HTTPS transport being used.<\/p>\n<p>All new security checks have been added to our <a href=\"https:\/\/apisecurity.io\/encyclopedia\/content\/api-security-encyclopedia\">encyclopedia on apisecurity.io<\/a>.<\/p>\n<h2>OAuth Security Best Practices<\/h2>\n<p>As mentioned earlier, we are now much smarter about OAuth use in API authentication.<\/p>\n<p>42Crunch Security Audit now checks the grant types used by APIs and warns if these are no longer in line with the OAuth 2.0 Security Best Current Practice from IETF.<\/p>\n<h2>Tweaked Security Issues Impact<\/h2>\n<p>Security Audit is now also smarter about how the authentication method is used in the API contract.<\/p>\n<p>If the authentication mechanism is defined (<code>securityDefinitions<\/code> in OpenAPI 2 and <code>securitySchemes<\/code> in OpenAPI 3) but not actually applied, this is a lurking danger (that someone accidentally starts using it in the future) and not an immediate vulnerability. Thus, we will warn if we see such a definition but will not lower the score because the authentication method is not used.<\/p>\n<p>If we find that the insecure authentication method is, in fact, applied to the API, we will change the score depending on how dangerous the approach is. Insecure authentication applied globally to the whole API will have a higher impact than the one applied to a particular operation.<\/p>\n<h2>Enhanced Proxy Handling for On-premises Scan<\/h2>\n<p>On-premises Conformance Scan that we introduced in our previous release got its share of enhancements. The agent needs to connect to the API endpoint it is supposed to test and to the 42Crunch platform (to retrieve the configuration and send back the report.)<\/p>\n<p>You are now able to specify different proxy servers for these two scenarios. You can also do that separately for HTTP and HTTPS traffic.<\/p>\n<p>See<a class=\"MCXref xref\" href=\"https:\/\/docs.42crunch.com\/latest\/content\/tasks\/scan_api_conformance.htm#Run3\"> Run on-premises scan behind HTTP or HTTPS proxy<\/a>\u00a0for details.<\/p>\n<h2>Scan Report Improvements<\/h2>\n<p>Scan reports now provides information on when the API endpoint was last scanned and also explicitly reports when the &#8220;<a href=\"https:\/\/docs.42crunch.com\/latest\/content\/concepts\/api_contract_conformance_scan.htm#Happy\" target=\"_blank\" rel=\"noopener\">happy path<\/a>&#8221; scenario could not be executed for the particular operation, thus making the fuzzing of that operation impossible:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-11485\" src=\"https:\/\/staging2022.42crunch.com\/wp-content\/uploads\/2021\/04\/scan_report_filter.png\" alt=\"\" width=\"313\" height=\"414\" srcset=\"https:\/\/staging2022.42crunch.com\/wp-content\/uploads\/2021\/04\/scan_report_filter.png 313w, https:\/\/staging2022.42crunch.com\/wp-content\/uploads\/2021\/04\/scan_report_filter-227x300.png 227w\" sizes=\"(max-width: 313px) 100vw, 313px\" \/><\/p>\n<h2>Other Changes<\/h2>\n<p>See our <a href=\"https:\/\/docs.42crunch.com\/latest\/content\/whatsnew\/42crunch-platform-2021-04-14.htm\" target=\"_blank\" rel=\"noopener\">release notes<\/a> for the list of other changes and firewall compatibility information.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>We have just updated our API Security platform, and I want to tell you all about it. 100+ New Security Audit Checks Security Audit checks related to authentication just had a major revamp. Now instead of generic articles on insecure authentication methods, we provide specific information for each case, including: API Key passed as a [&hellip;]<\/p>\n","protected":false},"author":11,"featured_media":11331,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"none","_seopress_titles_title":"100+ New API Security Audit Checks added to API Audit","_seopress_titles_desc":"API Security platform update includes validation of OAuth security best practices and addition of 100+ new authentication security checks.\r\n","_seopress_robots_index":"","site-sidebar-layout":"default","site-content-layout":"default","ast-site-content-layout":"","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"disabled","ast-hfb-above-header-display":"disabled","ast-hfb-below-header-display":"disabled","ast-hfb-mobile-header-display":"disabled","site-post-title":"disabled","ast-breadcrumbs-content":"disabled","ast-featured-img":"disabled","footer-sml-layout":"disabled","theme-transparent-header-meta":"default","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[13],"tags":[22],"class_list":["post-10047","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news","tag-api-security-platform"],"_links":{"self":[{"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/posts\/10047"}],"collection":[{"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/comments?post=10047"}],"version-history":[{"count":0,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/posts\/10047\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/media\/11331"}],"wp:attachment":[{"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/media?parent=10047"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/categories?post=10047"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/tags?post=10047"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}