Current release: v7.5.3
Breaking change
The 7.5 release of the Cequence Unified API Protection (UAP) platform obsoletes the /api-requests and /sensor-requests endpoints. Before upgrading to 7.5.x, direct all traffic from sources such as Defender and Sensor instances to the unified API Edge endpoint /api-transactions.
For Defender, add the SENSOR_CONNECTOR_DATA_FORMAT="unified" environment variable or update the Helm chart value dataFormat to "unified". Restart Defender instances after changing their configurations.
Do not upgrade Cequence UAP until all traffic sources are sending data in unified format. Using non-unified format for traffic before the upgrade can cause the UAP platform to drop this traffic.
Release Highlights
The 7.5 release of the Cequence UAP platform is generally available as of Oct 17, 2024. The key highlights of this release are listed below.
New Features
The new features in the 7.5 release require version 5.3 or newer of Cequence Bridge and 5.3 or newer of Cequence Defender.
Advanced filtering configuration from the web UI: You can now configure advanced filters directly from the Cequence web UI. Using advanced filtering, you can configure query parameters, request headers, or response headers to decide whether to send traffic to Cequence UAP. Filtering configuration is now based on application tags instead of host and path values.
Configure traffic sampling in the web UI: You can configure traffic sampling directly from the web UI to send just a portion of the total application traffic to Cequence UAP instead of all traffic. This is particularly useful for API discovery and inventory use cases for which all API traffic need not be analyzed in order to discover, classify and inventory APIs. Sampling configuration includes a percentage value of traffic, which can be changed at any time by a Cequence administrator. Sampling is enforced at the API endpoint level.
Order traffic filter priority in the web UI: You can reorder the priority list of traffic filters directly from the UI. Filters are evaluated by the platform in the order in which they are configured from top to bottom on the UI. You can reorder the filters to list the higher priority filters at the top followed by lower priority filters.
Sensitive data masking: Cequence now supports masking sensitive data before transmitting to the Cequence UAP platform for analysis. This is particularly useful for SaaS deployments where customers may want to configure masking of sensitive data values in API request or response payloads before sending traffic to Cequence for analysis. This configuration is also part of the filtering configuration and can be configured per application tag.
Broken Object Level Authorization (BOLA) detection: Cequence now supports out-of-the-box detection of BOLA threat activity without custom rules. This capability saves administrator time and configuration effort as the platform automatically detects enumeration activity of path or query parameters at a the API endpoint level.
API Inventory is now enhanced with the ability to assign labels to API endpoints. Labels enable you to add custom assigned names to individual API endpoints or groups of endpoints.
API Inventory now supports filtering API endpoints by Application Tags.
API Inventory now supports visibility into the cookies for each API endpoint, allowing users to identify cookie-based authentication parameters.
New Risk Posture page allows users to view and manage API security issues grouped by risk category and risk indicators, and provides detailed description of each detected risk, including remediation guidance.
New ML Configuration page lists the ML models active in the customer's Cequence tenant, including brief information about what each model does.
New improved Dashboard for Attack Surface Discovery shows the number of API hosts discovered over time, as well as new widgets categorizing edge, infrastructure, and application gateway providers discovered during domain crawls.
Email notifications are now sent for completed attack surface discovery Spyder crawls.
API Test Run Reports can now be downloaded in JSON format, and test plans can now be archived.
Resolved Issues
CEQASP-5841 SAML users with uppercase characters in the email address does not show as federated.
CEQASP-5384 Open detection transactions in new tab.
CEQASP-4480 [Traffic Metrics] Datasets are querying each entity in the set.
CEQASP-3625 [Traffic Metrics] Queries for over 1 day are hitting all indices.
CEQASP-3434 JEXL and MVEL Privilege Execution: Transformation script functionality allows for exfiltration of sensitive data.
CEQASP-2892 Local user accounts for CQASP dashboard require MFA.
Release 7.5.3
CEQASP-5640 Fix ILM Policies to not make the index read only
CEQASP-6431 Risk linking using the incorrect trafficStatus value
CEQASP-6513 created template directories
CEQASP-6238 API Sentinel: Dashboard identification of newly found not reflected in API inventory
CEQASP-6359 allowing underscore while saving servers
CEQASP-6538 remove max 1k api specs es query restriction
CEQASP-6382 | CEQASP-6566 Trim ReqHeaders value to 500 (configurable), omit cookie, auth headers for sensitive data analysis. Add metrics for processor timer
Upgrade considerations for CEQASP-6382
- Use the kafkaCluster.kafkaTopic.apiRequests.partitions variable to change the partition size of cq.api-requests.
- Use the sentinel.trafficAnalyzer.sensitiveDataProcessorCharsMax variable to set the character limit for sensitive data character processing. By default, this value is 500.
After changing the variables, bring down the traffic analyzer pod, then delete the following internal topics:
- resource-hit-analyzer-resourceMetricsStore-repartition
- resource-hit-analyzer-resourceMetricsStore-changelog
- resource-hit-analyzer-undiscoveredResourceRequestsStore-changelog
Start the traffic analyzer pod and confirm normal operation. The internal topics are rebuilt using the changed values.
Release 7.5.2
SECTEST-1132 Update test cases for VAmPI vulnerability detection
Release 7.5.1
CEQASP-6387 page specific query params being stripped from URL in new tab
CEQASP-6384 Update Rule Bundle to 5.0
CEQASP-6377 [Dependency Verifier] Missing CPU Request / Limit
CEQASP-6365 Bot analyzer crash looping in master ceqasp
CEQASP-6341 API Sentinel: New Inventory White screen (non unique Identifiers)
CEQASP-6334 [Helm Chart] Add Stabilization Window to HPA objects
CEQASP-6269 New End points - Risk posture does not work
CEQASP-6255 Create new system rule for AI user agent detection
CEQASP-6230 Specs with multiple matching servers with different base path's break inventory table
CEQASP-6219 UI: app is not handling state and code query params in the URL
CEQASP-6211 Time windows selected in detection dashboard changes in transaction page
CEQASP-6186 UI - navigation from risk posture to inventory is broken
CEQASP-6184 API Sentinel: Risk Posture Page Performance.
CEQASP-6173 API Sentinel: Dashboard metrics are all off
CEQASP-6053 Decrease Resource Dictionary memory usage for appTags/labels features
CEQASP-6038 PCI_TRACK_ORDER False Negative
CEQASP-5558 API Sentinel: Custom Auth defined for Request Body
Upgrading from 7.4
To upgrade from the 7.4 release, back up and export all of your configuration files, then upgrade as normal.
Rolling back
After rolling back to the 7.4 release from 7.5, observe the system's behavior to verify correct operation.
Upgrading from 7.3
To upgrade from the 7.3 release, back up and export all of your configuration files, then upgrade as normal.
Rolling back
After rolling back to the 7.3 release from 7.5, import the exported configuration files, then perform the following scale alterations:
- Scale down deployments
- Scale up Resources Dictionary and Component Configuration
- Scale down Statefulsets
- Scale up Policy Engine.
Note that rolling back to 7.3 from 7.4 will result in the loss of two weeks of Sentinel metrics.
On-Premises Deployments
Package | Version | Location |
Helm Chart | 7.5.3 | https://cequence.gitlab.io/helm-charts/ |
Component Compatibility
The 7.5 release of the Cequence UAP is compatible with the following data plane component versions.
UAP version | Component version | Behavior |
UAP 7.5 | Defender releases between 4.8.x and 5.1, inclusive |
UAP 7.5 is backward compatible with these data plane components. Because The ignore configuration only affects the Sentinel stream. |
Sensor releases between 4.0 and 4.1 inclusive | ||
UAP 7.5 | Defender release 5.2 |
Only Intelligent Edge functionality is available. Legacy filtering is not available. |
Sensor release 4.x using Cequence Bridge | ||
Cequence Bridge release 5.2 | ||
UAP 7.5 | Gateway integrations |
Intelligent Edge functionality is available. |
UAP 7.3 | Defender releases 5.2 and earlier |
Unsupported. |