This page documents production updates to Apigee Advanced API Security in 2022 and later. We recommend that users periodically check this list for any new announcements, or subscribe to this page using a feed reader to get notifications of updates.
What is a feed reader?
Really simple syndication (RSS) feed readers aggregate content from websites that you specify.
Feed reader notifications can be email-, browser-, desktop-, or mobile-based. Some readers are free, or have free versions, and some require a subscription.
A few examples:
More information on RSS:
See also:
You can see the latest product updates for all of Google Cloud on the Google Cloud page, browse and filter all release notes in the Google Cloud console, or programmatically access release notes in BigQuery.
To get the latest product updates delivered to you, add the URL of this page to your
feed
reader, or add the feed URL directly: https://cloud.google.com/feeds/apigee-api-security-release-notes.xml
March 04, 2024
On March 4, 2024 we released an updated version of Advanced API Security.
New conditions for security actions
You can now create security actions based on the following condition types (in addition to the condition types for Detection rules and IP addresses that were already available):
- API keys
- API products
- Access tokens
- Developers
- Developer apps
- User agents
These new conditions are not available with Apigee hybrid at this time.
See Create a security action to learn more.
January 16, 2024
On January 16, 2024 we released an updated version of Advanced API Security.
Training machine learning models for abuse detection on your data
You now have the option to allow Apigee to train your organization's machine learning models for abuse detection on your data. Training the models on your data helps improve their accuracy for detecting security incidents.
December 13, 2023
On December 13, 2023 we released an updated version of Advanced API Security.
Public preview of archiving security incidents
With this release, you can now archive security incidents that you no longer want to see displayed in the incidents list. For example, you might want to archive incidents that you have already dealt with and no longer need to track. Archiving incidents can help you focus on those incidents that still require your attention. Archiving does not delete the incident: you can always unarchive it whenever you want.
Performance improvements to Risk Assessment security scores
Risk Assessment security scores now load faster in the Apigee UI, due to improved server side caching of scores.
December 06, 2023
On December 6, 2023 we released an updated version of Advanced API Security.
New button to create a security action is now in several places in the Abuse detection and Risk assessment pages
The new button links directly to the Security actions page from the Abuse detection or Risk assessment pages, so you can easily create a security action for the environment you are currently viewing. The button is in the following locations:
- The Source assessment view in the Risk assessment page
- The Detected Traffic, Incident, and Incident details views in the Abuse detection page
December 05, 2023
On December 5, 2023 we released an updated version of Advanced API Security.
Changes to proxy security scores
The following changes have been made to the way proxy security scores are calculated:
Previously, adding a policy to a proxy or shared flow, but not attaching the policy to any flow (preflow, postflow or conditional flow), could affect the proxy's score.
With this release, you must attach a policy in a flow in order for the policy to affect the proxy's score. A policy that is not attached in a flow is treated as if no policy were present for scoring.
Previously, proxies with no policies were not considered in scoring.
With this release, proxies with no policies are considered in scoring.
See How policies affect proxy security scores to learn more.
November 01, 2023
On December 6, 2024 we release an updated version of Advanced API Security.
Public preview of Advanced API Security custom profiles in the Apigee UI
With this release, you can now create and edit custom security profiles in the Apigee UI. Custom profiles let you specify the security categories that your security scores are based on.
The Security scores page in the Apigee UI has been renamed to the Risk assessment page, and the page now has tabs for security scores and security profiles.
October 06, 2023
On October 6, 2023, we released an updated version of Advanced API Security.
Public Preview of Advanced API Security Actions
Advanced API Security's new Security Actions feature lets you create security actions that define how Apigee handles detected traffic. You can create the following security actions:
Deny actions, which deny requests that meet specified conditions, for example, originating at an IP address that has been identified as a source of abuse.
Flag actions, which let requests pass through, but add headers to requests to identify them as suspicious.
Allow actions, which are used to override deny actions in specific cases when the request is trusted.
September 27, 2023
On September 27, 2023, we released an updated version of Advanced API Security.
Public preview of Advanced API Security Alerting
Advanced API Security's new alerting feature lets you create alerts for events related to API security using Google Cloud Monitoring, such as changes to your security scores or incidents involving detected API abuse. You can configure alerts to send you notifications by email or other channels when these events occur, so you can take action to counteract them.
September 25, 2023
On September 25, 2023 we release an updated version of Advanced API Security.
If a flow hook contains any FlowCallout policies, Advanced API Security scores now processes all policies from the shared flows that the flow callouts are pointing to for scoring. Further callout chaining is not supported.
| Bug ID | Description |
|---|---|
| 300849647 | Fixed a bug in Security scores for proxies that don't contain any policies in the categories authorization, mediation, threat or CORS . |
August 25, 2023
On August 25, 2023, we released an updated version of Apigee Advanced API Security.
This release includes custom profiles for Advanced API Security scores. Custom profiles let you specify the security categories you want your security scores to be based on. In this release, you must create a security profile in the security scores API. However, you can view scores for the profile in the security scores UI.
August 03, 2023
On August 3, 2023, we released an updated version of Apigee Advanced API Security.
Previously, Advanced API Security scores didn't evaluate proxies calling shared flows via flow hooks and the FlowCallout policy in the proxy. With this release, security scores take into account proxies calling shared flows this way. As a result, your security scores may change because they now factor in the shared flows in the environment.
April 20, 2023
On April 20, 2023 we released an updated version of Apigee Advanced API Security.
This release contains a new Advanced API Security Detected Traffic view, which displays information about API traffic originating from detected bots. This information was previously displayed in the Abuse metrics section of the Security scores view.
March 23, 2023
On March 23, 2023, we released an updated version of Apigee Advanced API Security.
Public preview release of Advanced API Security abuse detection
Advanced API Security's new abuse detection feature lets you view security incidents involving your APIs. Abuse detection uses Google's machine learning algorithms to detect API traffic patterns that are a sign of malicious activity targeting your APIs.
Abuse detection includes two new types of detection rules powered by machine learning models:
- Advanced Anomaly Detection: Detects unusual patterns of API traffic.
- Advanced API scraper: Detects attempts to extract information from APIs for malicious purposes.
The two new detection rules, Advanced Anomaly Detection and Advanced API Scraper, are not available for organizations with VPC Service Controls. We are actively working to resolve this issue.