Apigee Advanced API Security release notes

This page documents production updates to Apigee Advanced API Security in 2022 and later. We recommend that users periodically check this list for any new announcements, or subscribe to this page using a feed reader to get notifications of updates.

What is a feed reader?

Really simple syndication (RSS) feed readers aggregate content from websites that you specify.

Feed reader notifications can be email-, browser-, desktop-, or mobile-based. Some readers are free, or have free versions, and some require a subscription.

A few examples:

More information on RSS:

See also:

Subscribe:

You can see the latest product updates for all of Google Cloud on the Google Cloud page, browse and filter all release notes in the Google Cloud console, or programmatically access release notes in BigQuery.

To get the latest product updates delivered to you, add the URL of this page to your feed reader, or add the feed URL directly.

October 08, 2024

On October 8, 2024 we released an updated version of Advanced API Security.

Note: Rollouts of this release to production instances will begin within two business days and may take four or more business days to complete across all Google Cloud zones. Your instances may not have the feature available until the rollout is complete.

New features added to the Risk Assessment v2 preview

This release introduces new features to the Risk Assessment v2 preview:

  • Support for custom security profiles. You can create your own security profiles, with unique combinations of risk assessment checks and weights, to use for proxy risk assessment.
  • New assessment checks. We've added additional checks you can use when assessing proxy risk.
  • Assess proxies across multiple profiles. You can now switch between security profiles to see differences in scoring across profiles.

For usage information and a list of all features in Risk Assessment v2, see the Risk Assessment v2 customer documentation.

October 04, 2024

On October 4, 2024 we released an updated version of Advanced API Security.

Fixed: Delay in score generation for Risk Assessment v2 with VPC-SC-enabled organizations only

In Risk Assessment v2, which is in preview, this issue has been resolved:

With VPC-SC-enabled organizations only, when generating scores for new organizations or scoring changes to included proxies, shared flows, and target server configurations, score generation could have take as much as three hours.

See the Risk Assessment v2 customer documentation for information on the functionality.

Risk Assessment v2 is now available in the me-central2 region. See Available Apigee API Analytics Regions for region information.

September 11, 2024

Delay in score generation for Risk Assessment v2 with VPC-SC-enabled organizations only

This issue impacts Risk Assessment v2 only, which is in preview.

With VPC-SC-enabled organizations only, when generating scores for new organizations or scoring changes to included proxies, shared flows, and target server configurations, score generation could take as much as three hours.

See the Risk Assessment v2 customer documentation for information on the functionality.

September 10, 2024

On September 10, 2024 we released an updated version of Advanced API Security.

Proxy-specific security actions

You can now create security actions that apply only to one or more specified proxies.

This new functionality is not available with Apigee hybrid at this time.

See Security actions to learn more about proxy-specific security actions.

August 13, 2024

On August 13, 2024 we released an updated version of Advanced API Security.

Note: Rollouts of this release to production instances will begin within two business days and may take four or more business days to complete across all Google Cloud zones. Your instances may not have the feature available until the rollout is complete.

Note: This functionality is not available in the me-central2 region at this time. See Available Apigee API Analytics Regions for region information. We will announce with a release note when that region is supported.

Public preview of Risk Assessment v2

This release introduces Risk Assessment v2 in preview. Risk Assessment v2 includes these improvements:

  • Improved reliability: Faster score calculations with recent proxy data.
  • Simplified score display: The new score is a percentage, where 100% means full alignment with the security profile.

For usage information and a list of all improvements and changes in v2, see Risk Assessment v2.

August 05, 2024

On August 5, 2024 we released an updated version of Advanced API Security.

Shadow API Discovery, which is in preview, now supports the use of tags to label and organize observation results.

For usage information, see Use tags.

August 02, 2024

The preview release of generative AI summaries and recommendations for Advanced API Security Abuse Detection incidents is now re-enabled after resolution of the known issue noted on July 19.

For usage instructions, see the Incident details documentation.

July 26, 2024

On July 26, 2024, we released an updated version of Advanced API Security.

Advanced API Security now supports data residency. Data residency meets compliance and regulatory requirements by allowing you to specify the geographic locations (regions) where Advanced API Security data is stored. For more information, see Introduction to data residency.

July 19, 2024

The preview release of generative AI summaries and recommendations for Advanced API Security Abuse Detection incidents has been temporarily disabled due to a known issue. We will announce in a release note when the functionality is re-enabled.

June 27, 2024

On June 27, 2024 we released a new version of Advanced API Security

Rollouts of this feature are ongoing and will take multiple days to complete across all Google Cloud zones. You might not be able to use the functionality until the rollout is complete.

Preview release of generative AI incident report summaries

This release introduces the preview release of generative AI summaries and recommendations for Advanced API Security Abuse Detection incidents. The new generative AI features are available for all Advanced API Security-enabled projects and do not require the Gemini Code Assist add-on.

For usage information, see the Abuse Detection customer documentation.

June 17, 2024

On June 17, 2024 we released an updated version of Advanced API Security.

Shadow API Discovery, which is in preview, no longer requires separate creation of P4SA permissions in order to enable the functionality.

For usage information, see the Shadow API Discovery documentation.

May 29, 2024

On May 29, 2024 we released a new version of Advanced API Security

NOTE: Rollouts of this feature are ongoing and will take multiple days to complete across all Google Cloud zones. You might not be able to use the functionality until the rollout is complete.

Preview release of Shadow API Discovery

This release introduces Shadow API Discovery in preview. Shadow API Discovery finds shadow APIs (also known as undocumented or unmanaged APIs) in your existing cloud infrastructure. Shadow APIs pose a security risk to your system, since they might be unsecured, unmonitored, and unmaintained.

For a feature overview and usage information, see Shadow API Discovery.

May 14, 2024

On May 14, 2024 we released an updated version of Advanced API Security.

NOTE: Rollouts of this feature are ongoing and will take multiple days to complete across all Google Cloud zones. You may not be able to use the functionality until the rollout is complete.

Addition of autonomous system numbers (ASN), HTTP methods, and region codes as supported security action rule condition types.

This new functionality is not available with Apigee hybrid at this time.

See Create a security action to learn more.

May 09, 2024

On May 9, 2024 we released an updated version of Advanced API Security.

Addition of CIDR range support when specifying IPv4 addresses for security action rules.

Apigee Advanced API Security now includes support for CIDR range specification when creating security action rules that restrict access based on IP addresses.

This new functionality is not available with Apigee hybrid at this time.

See Create a security action to learn more.

March 04, 2024

On March 4, 2024 we released an updated version of Advanced API Security.

New conditions for security actions

You can now create security actions based on the following condition types (in addition to the condition types for Detection rules and IP addresses that were already available):

  • API keys
  • API products
  • Access tokens
  • Developers
  • Developer apps
  • User agents

These new conditions are not available with Apigee hybrid at this time.

See Create a security action to learn more.

January 16, 2024

On January 16, 2024 we released an updated version of Advanced API Security.

Training machine learning models for abuse detection on your data

You now have the option to allow Apigee to train your organization's machine learning models for abuse detection on your data. Training the models on your data helps improve their accuracy for detecting security incidents.

December 13, 2023

On December 13, 2023 we released an updated version of Advanced API Security.

Public preview of archiving security incidents

With this release, you can now archive security incidents that you no longer want to see displayed in the incidents list. For example, you might want to archive incidents that you have already dealt with and no longer need to track. Archiving incidents can help you focus on those incidents that still require your attention. Archiving does not delete the incident: you can always unarchive it whenever you want.

Performance improvements to Risk Assessment security scores

Risk Assessment security scores now load faster in the Apigee UI, due to improved server side caching of scores.

December 06, 2023

On December 6, 2023 we released an updated version of Advanced API Security.

New button to create a security action is now in several places in the Abuse detection and Risk assessment pages

The new button links directly to the Security actions page from the Abuse detection or Risk assessment pages, so you can easily create a security action for the environment you are currently viewing. The button is in the following locations:

  • The Source assessment view in the Risk assessment page
  • The Detected Traffic, Incident, and Incident details views in the Abuse detection page

December 05, 2023

On December 5, 2023 we released an updated version of Advanced API Security.

Changes to proxy security scores

The following changes have been made to the way proxy security scores are calculated:

  • Previously, adding a policy to a proxy or shared flow, but not attaching the policy to any flow (preflow, postflow or conditional flow), could affect the proxy's score.

    With this release, you must attach a policy in a flow in order for the policy to affect the proxy's score. A policy that is not attached in a flow is treated as if no policy were present for scoring.

  • Previously, proxies with no policies were not considered in scoring.

    With this release, proxies with no policies are considered in scoring.

See How policies affect proxy security scores to learn more.

November 01, 2023

On December 6, 2024 we release an updated version of Advanced API Security.

Public preview of Advanced API Security custom profiles in the Apigee UI

With this release, you can now create and edit custom security profiles in the Apigee UI. Custom profiles let you specify the security categories that your security scores are based on.

The Security scores page in the Apigee UI has been renamed to the Risk assessment page, and the page now has tabs for security scores and security profiles.

October 06, 2023

On October 6, 2023, we released an updated version of Advanced API Security.

Public Preview of Advanced API Security Actions

Advanced API Security's new Security Actions feature lets you create security actions that define how Apigee handles detected traffic. You can create the following security actions:

  • Deny actions, which deny requests that meet specified conditions, for example, originating at an IP address that has been identified as a source of abuse.

  • Flag actions, which let requests pass through, but add headers to requests to identify them as suspicious.

  • Allow actions, which are used to override deny actions in specific cases when the request is trusted.

September 27, 2023

On September 27, 2023, we released an updated version of Advanced API Security.

Public preview of Advanced API Security Alerting

Advanced API Security's new alerting feature lets you create alerts for events related to API security using Google Cloud Monitoring, such as changes to your security scores or incidents involving detected API abuse. You can configure alerts to send you notifications by email or other channels when these events occur, so you can take action to counteract them.

September 25, 2023

On September 25, 2023 we release an updated version of Advanced API Security.

If a flow hook contains any FlowCallout policies, Advanced API Security scores now processes all policies from the shared flows that the flow callouts are pointing to for scoring. Further callout chaining is not supported.

Bug ID Description
300849647 Fixed a bug in Security scores for proxies that don't contain any policies in the categories authorization, mediation, threat or CORS .

August 25, 2023

On August 25, 2023, we released an updated version of Apigee Advanced API Security.

This release includes custom profiles for Advanced API Security scores. Custom profiles let you specify the security categories you want your security scores to be based on. In this release, you must create a security profile in the security scores API. However, you can view scores for the profile in the security scores UI.

August 03, 2023

On August 3, 2023, we released an updated version of Apigee Advanced API Security.

Previously, Advanced API Security scores didn't evaluate proxies calling shared flows via flow hooks and the FlowCallout policy in the proxy. With this release, security scores take into account proxies calling shared flows this way. As a result, your security scores may change because they now factor in the shared flows in the environment.

April 20, 2023

On April 20, 2023 we released an updated version of Apigee Advanced API Security.

This release contains a new Advanced API Security Detected Traffic view, which displays information about API traffic originating from detected bots. This information was previously displayed in the Abuse metrics section of the Security scores view.

March 23, 2023

On March 23, 2023, we released an updated version of Apigee Advanced API Security.

Public preview release of Advanced API Security abuse detection

Advanced API Security's new abuse detection feature lets you view security incidents involving your APIs. Abuse detection uses Google's machine learning algorithms to detect API traffic patterns that are a sign of malicious activity targeting your APIs.

Abuse detection includes two new types of detection rules powered by machine learning models:

  • Advanced Anomaly Detection: Detects unusual patterns of API traffic.
  • Advanced API scraper: Detects attempts to extract information from APIs for malicious purposes.

The two new detection rules, Advanced Anomaly Detection and Advanced API Scraper, are not available for organizations with VPC Service Controls. We are actively working to resolve this issue.