Please enable the option for importing the new user credentials through .csv file, which was there but now you have removed
Please enable the option for importing the new user credentials through .csv file, which was there but now you have removed after firmware upgradation.
A correct comment. Sophos's claim was that it was insecure. That is a red herring. Using the XML SPI is even worse. See https://support.sophos.com/support/s/article/KB-000038263?language=en_US for example the following example.
So we have the passing of password in clear text on the URL! Yes, I know the URL is a HTTPs connection, but it is visible to all/ In a CSV file it is not. The import of the CSV was also in Https and the CSV file could be store in an encrypted format on the user's disk if they wanted.
Furthermore -the use of this API doses not support the concept of making IT Security "Easy"