Current release: v7.3.24

Release Highlights

The 7.3 release of the Cequence Unified API Protection (UAP) platform has several new features. This release is generally available as of December 20, 2024.

New Features

Summary dashboard UI: Summarizes various metrics about discovery, compliance and threat protection. This dashboard provides a quick summary of API activity protected by your Cequence UAP deployment, highlighting the metrics that matter for technical and decision makers.

Key metrics highlighted on this dashboard include:

• Number of API hosts discovered by Cequence’s zero-knowledge attack surface discovery compared to the total number of API hosts the platform is actively protecting.
• Number of Internal, External, and Third-Party APIs in the API inventory.
• Total Number of API Risk Issues detected by the platform, including run-time risks and build-time compliance test failures.
• Statistics about the traffic volume processed by the Cequence UAP platform and threats mitigated by the platform, including types of threats and their sources.

New inventory page: Adds usability improvements to common workflows. You can toggle between the new page and the legacy one now, but expect the legacy view to be deprecated in a future release.

• Easy tabular access to the entire API inventory​, allowing easy filtering by API type and various other attributes.
• View APIs by their classification as Internal, External, or Third-Party​, and customize that view to meet your requirements.
• Generate API specifications for undocumented APIs​.
• Manage Shadow APIs and API compliance drift right from the inventory page.
• Greater context for factors that contribute to increased risk, including OWASP recommendations and sensitive data exposure.

The Cequence UAP platform UI now sorts discovered APIs by type: Internal, External, and Third-Party.

New API Endpoint Details page: Along with API usage statistics, Cequence provides an analysis of the payloads in your API requests and responses, including parameter discovery. Cequence can automatically create Data Extraction rules based on the discovered parameters. APIs are analyzed for sensitive data exposure, assisting in your compliance requirements.

Machine Learning-based Classification of Mitigated Threats: Automatically classifies API threats based on the API endpoints that the malicious activity was detected on, the sources of the malicious requests, and the malicious behavior patterns observed. The classification feature includes industry-specific threats, such as CPNI Enumeration and Device Port-in Fraud (for Telco customers), Inventory Abuse and Shopping Card Abuse (for Retail customers), and Credit Application Fraud and Payment Fraud (for Financial customers).

Detecting and Blocking Automated AI Bot Activity: Can automatically identify activity from AI bots without requiring any user configuration. This enables security teams to detect activity from AI apps and use easily created policies to block or rate-limit such activity.

Beyond new presentation and categorization in the refreshed UI, the 7.3 release of the Cequence UAP platform includes a new ability to search right from the Data Extraction page.

The Cequence UAP platform now ships with the OWASP API Top 10 2023 rules as default, leaving the older OWASP API Top 10 2019 rules as disabled. You can customize this configuration if required, adding additional categories and rules as needed.

New Integrations

Palo Alto Networks Next-gen Firewall: These integrations enable the Cequence UAP platform to discover API callouts from customer-owned applications, surfacing third-party API suppliers. These integrations also provide the necessary context to understand the security posture of those API callouts, including identification of sensitive data they exchange. Cequence has introduced integrations with Palo Alto Networks Firewalls for this use case.

F5 High Speed Logging (HSL): F5 users can discover and protect their APIs exposed behind F5 gateways using the high-volume, low-latency HSL feature without needing to terminate TLS on the F5. This enables quick, low-latency, and secure integrations.

Citrix ADC Content Inspection: Citrix users can discover and protect their APIs exposed behind Citrix ADC gateways using Citrix content inspection capabilities, which enables quick, passive integrations using mirroring technology and automatically handles TLS termination.

WSO2 API Gateway: Cequence now provides passive integration with WSO2 API gateways, allowing WSO2 users to easily integrate with Cequence to discover and protect APIs exposed behind WSO2 API gateways.

Serverless application integrations: Cequence now integrates with container deployment technologies from leading cloud providers to discover and protect serverless applications deployed on those cloud services. Cequence has introduced native integrations for AWS App Runner, Azure Container Apps, and GCP Cloud Run, enabling organizations to discover and protect APIs exposed within containerized applications deployed on such technologies.

Resolved Issues

Release 7.3.24

CEQASP-7210 Sitemap discovery fails to load data

Release 7.3.23

CEQASP-6211 Time windows selected in detection dashboard (Custom time range) changes in transaction page

CEQASP-6397 Published end point coming in as discovered

Release 7.3.22

CEQASP-6538 Removes 1000 API definition limit in Sentinel

CEQASP-6382 Feature flagged fix to handle data skew in TA for some customers to resolve lag

SPY-1402 Enable Security context for the spyder-ui pod by default

Release 7.3.21

CEQASP-6513 Make the timeout value for the API calls to UI ingress configurable using a Helm chart

CEQASP-6382 Transaction count discrepency between detection and sentinel dashboard

Release 7.3.20

CEQASP-6457 Add ability to do zipped export to AWS S3

CEQASP-6359 API Sentinel: Base path for API definitions can't have underscores

CEQASP-6412 Reset Operation for sampling configuration causes api-edge crash

Release 7.3.19

SECTEST-1132 Update test cases for VAmPI vulnerability detection

Release 7.3.18

CEQASP-6384 Update Rule Bundle to 5.0

CEQASP-6321 API for configuring the sampling rate for API Edge

Release 7.3.17

SECTEST-1121 [Api Testing] Allow running test jobs without KEDA

DEF-1521 Crash in ipfp lib when large XFF header is received

Release 7.3.16

CEQASP-5573 Pagination of Sensitive Data Dashboard Results hard to see

CEQASP-6048 Spec gen errors out

CEQASP-6173 API Sentinel: Dashboard metrics are all off

CEQASP-6181 Dashboard/Risk Posture linking to Inventory not working as expected.

CEQASP-6191 Sentinel dashboard: The API endpoints tile does not refresh using the refresh button at the top right or even if we select filters

CEQASP-6230 Specs with multiple matching servers with different base path's break inventory table

CEQASP-6249 ES Retry improvements 

Release 7.3.15

CEQASP-5778 migrator job unable to complete if there are lot of metrics data

CEQASP-5809 API Sentinel: OWASP API8:2023 add Option to the list of common methods

CEQASP-5933 Multiple /pivot-details calls on Detection dashboard

CEQASP-5944 API Inventory - Details left column - sensitive data over flow

CEQASP-5982 API Sentinel: Inventory Details left hand Risk Findings not updating

CEQASP-6005 PII NAME - false positives

CEQASP-6018 API Sentinel: Auth type shows up as n/a instead of Custom Auth type in API Endpoint Details

CEQASP-6161 UI: Sensitive Data Exposure calls failing

Release 7.3.14

CEQASP-5902 [Helm Chart] Kafka does not inherit imagepullsecrets

CEQASP-6022 Add Future record protection in bot analyzer

Release 7.3.13

CEQASP-5734 [HTTP Filters] Unable to configure wildcards

CEQASP-5882 Exposure type must be included in the import-export config

Known Behavior

When creating new HTTP filters, users must select both the CQAI and Sentinel checkboxes to apply traffic filters in Defender. This is a low-priority bug that was identified while testing the bug fixes for this release with a fix targeted for release 7.5 of the Cequence UAP platform.

Release 7.3.12

CEQASP-5012 migrator job failing on master

Release 7.3.11

CEQASP-5373 UAP UI - Transactions - Does not sort by am/pm

CEQASP-5778 migrator job unable to complete if there are lot of metrics data

CEQASP-5789 Traffic metrics hangs on any API call that needs backend communication to Elasticsearch

CEQASP-5841 saml user with uppercase email chars does not show as federated

Release 7.3.10

CEQASP-5598 error in bff when graphql response is empty

Release 7.3.9

CEQASP-5556 API Sentinel: Login Endpoint is being flagged for No Auth

CEQASP-5580 API Sentinel: Ad hoc report data display issues

CEQASP-5581 API Sentinel: V2 rule to find secret | key not ported to V3 rules

CEQASP-5606 API Sentinel: third party detection does not work with two-character country code domains

Release 7.3.8

CEQASP-3434 Privilege Escalation Attempts prevented in Auth Expressions by restricting access to privilege escalation classes in MVEL scripting language.

CEQASP-2892 Requiring local user accounts to have Multi-factor Auth (MFA).

CEQASP-5583 Policy Engine now supports OAuth support allowing clients to authenticate to it via OAuth and not via HTTP Basic Auth.

CEQASP-3578 SMTP+Syslog+S3: CQASP Egress: Data exports should be through a proxy

CEQASP-4973 /sentinel/dashboard/summary-inventory returns 500 when filtering by all hosts

CEQASP-5171 apikey auth type is not detected

CEQASP-5238 Real IP Configuration does not allow value location to be specified

CEQASP-5255 JSON Parsing issue in traffic stats

CEQASP-5341 Browser pivot on Detection dashboard does not show any data on the bottom right hand pane.

CEQASP-5374 7.3 Spartan Detection Transaction Filters for Rule Not working

CEQASP-5380 Pivots Transactionfilters on FP dataset which is empty is returning values

Release 7.3.7

CEQASP-5640 Remove read-only from ILM template for all indices

Release 7.3.6

CEQASP-5502 host filtering on dashboard and navigating to inventory not working

CEQASP-5525 API Sentinel: 3rd-party classification should only happen with an internal domain is specified.

CEQASP-5528 API Sentinel: New inventory displays "n/a" if there are more than one auth types

CEQASP-5529 API Sentinel: New Inventory endpoint details does not reflect updates to the class type

CEQASP-5560 API Sentinel: SSRF false postive due to origin fieldname

CEQASP-5563 API Sentinel: clear Risk does not update API Endpoints Details Risk tab

CEQASP-5564 API Sentinel: NLP PII_customer_account creating too many false positives

CEQASP-5602 Risk contributors are missing on the new inventory

Release 7.3.5

CEQASP-5513 Platform: Role-based access not working correctly in 7.3.

Release 7.3.4

CEQASP-5559 User-preference endpoint fails on new inventory pages with Sentinel API Inventory Viewer role

Release 7.3.3

CEQASP-5413 Support existing traffic ingestion client secret in Cequence ASP Helm chart

Release 7.3.2

CEQASP-5434 UI Glitch: Cannot close show user popup

CEQASP-5494 PCI Password Is not omitted

Release 7.3.1

CEQASP-5305 The words 'alphanumeric only' are visible on the page 'Sensitive Data Expressions'

Upgrade Effects

After installing or upgrading the Cequence UAP platform to release 7.3, downgrading past release 7.1 is not possible.

Supported upgrade paths

The 7.3.23 release supports the following upgrade paths.

• 6.14.x to 7.3.23
• 7.0.x to 7.3.23
• 7.1.x to 7.3.23
• 7.2.x to 7.3.23

Specific upgrade steps for on-premises instances are discussed in Upgrading to Cequence UAP platform 7.3.

On-Premises Deployments

Package	Version	Location
Helm Chart	7.3.0	https://cequence.gitlab.io/helm-charts/

Scan Results:

Attached file.

Upgrade Impact:

Release 7.3.8:

CEQASP-3434 To enforce the privilege escalation restriction, add the following flag to the Helm chart for BotAnalyzer:

scriptProtectionEnabled: true

CEQASP-5583 Enabling the Policy Engine to use OAuth requires the following items.

• Enable the require distribution service for OAuth Proxy

• Disable policy ingress for Basic Auth for Policy engine

• Update edge ingress for Oauth Proxy with the extra routing configuration