Release Notes 2023.7.0

New features and enhancements in Seeker 2023.7.0.

Security risks in the Endpoint Risk dashboard

Seeker automatically identifies the security risk types associated with endpoints and their parameters, and marks them with one or more risk tags, such as SQL, LDAP, SENSITIVE, SHADOW, and more.

You can filter endpoints by risk tags. Clicking on a risk tag opens a popup box with detailed information about the risk and the vulnerable parameters associated with this risk for the current endpoint.

Related Information: View and Explore Inbound Endpoint Risk

General improvements

  • The OWASP Top 10 API Security Risks 2019 and OWASP Top 10 API Security Risks 2023 classifications have been added to the list of major security standards supported by Seeker. Applications exposing APIs are now tested for compliance with this standard.

  • You can now define optional project metadata properties to use for filtering in the project dashboards: Deployment, and Criticality. Additionally, you can assign to a project one or more custom tags, much the same way these tags are assigned to vulnerabilities.
    Note: The Time filter in the Projects page has been moved to the Customize display dropdown box.

    Related Information: Add a Project, Edit a Project, Working with Projects

  • For detection of shadow APIs, Seeker parses API specifications to collect endpoints. To help Seeker determine the correct base URL for all endpoints in a specification file, you can optionally specify a base path. A base path is a prefix for all endpoint paths relative to the host root, such as /rest/api in https://www.example.com/rest/api/products.

    Related Information: Configure API specification

  • For Kubernetes deployments of Agents using an admission controller, you can now define a static value to the SEEKER_COMPOSITE_PROJECT_KEY variable to use as a composite project key in all pods.

    Related Information: Deploy Agents Automatically Using Admission Controller

API

Two new optional parameters have been added to POST /api/{ver}/projects:

  • Boolean autoProjectCreation: toggles the Automatic Project Creation option for composite projects.
  • String autoProjectCreationTemplateKey: Key of a project template to apply to auto-created projects within a composite project.

Related Information: Seeker API reference

Agents

The Seeker Agents have been enhanced with the following features:

Technologies Features
Go The Go Agent now supports:
  • Active Inspection of unused and empty parameters.
  • The httprouter web application framework.
Python The Python Agent now supports the Connexion framework.

Checkers

The following vulnerability checkers have been added, enhanced, or changed:

Technologies Name New/Enhanced/Changed
.NET Core Log Injection

Log Injection (Second-Order)

Insufficient Logging of Security Exceptions

Sensitive Data Stored Unencrypted

Sensitive Data Stored Unencrypted (Second-Order)

 Enhanced by the support of Microsoft.Extension.Logging framework

Documentation

The Server Installation Guide now features a high-level architecture and communications diagram of Seeker in a typical on-prem deployment. The diagram is accompanied by the connection details of Seeker internal components and integrated external systems.

Seeker Architecture and Communications