Merge pull request #113 from f5devcentral/matt-aug24

compliance

docs/class4/class4.rst

@@ -12,9 +12,6 @@ Lab Maintainers:
 
 |
 
-
-.. note:: For the TechXchange 2024 - Please use this `Teams chat <https://teams.microsoft.com/l/channel/19%3Aca3de856a85c47b1809f9803723c45d2%40thread.tacv2/XC%20API%20Security%20Lab%20Support?groupId=100b8a10-f3d0-4d73-bc24-c463f941d064&tenantId=dd3dfd2f-6a3b-40d1-9be0-bf8327d81c50>`_ if you have any issues, questions or feedback for the XC API security lab
-
 * Please start this `UDF <https://udf.f5.com/b/1cb733ca-3e77-4783-a91d-98d469eb220b#documentation>`_ to get an invite via F5 email to reset your password for the "f5-emea-workshop" tenant. 
 *	You are going to run a script to generate traffic at the end of “Class 4 - Dynamic API Protection – Enable API discovery” and it can take up to 2 hours maximum to see all results in the Dashboard for the following “API Discovery outcomes” lab section. There is also a note about this in the specific lab section, maybe you combine it with a break 😉.
 * Please make sure you complete the XC API Security Lab before the UDF shuts down because your XC account and configuration will be removed automatically when the UDF deployment stops.

docs/class4/module2/lab5/lab5.rst

@@ -1,7 +1,9 @@
 API Discovery outcomes
 ======================
 
-.. note:: The "traffic discovery" scheduler runs on a random interval within a two hours time window and therefore it can take up to 2 hours (maximum) to see all results in the Dashboard for the "API Discovery outcomes" lab section. You can also continue with the next lab "Advanced Protection - "JWT validation and access control" (module 3) and continue here later.
+.. note:: The "code base and traffic discovery" scheduler runs on a random interval within a two hours time window and therefore it can take up to 2 hours (maximum) to see all results in the Dashboard for the "API Discovery outcomes" lab section. You can also continue with the next lab "Advanced Protection - "JWT validation and access control" (module 3) and continue here later.
+
+.. note:: The code base "repo discovery" is done once a day
 
 Endpoint Discovery
 ------------------
@@ -17,6 +19,9 @@ Endpoint Discovery
 Understand the API Discovery elements
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
+API Category
+************
+
 On the top left corner, there are 3 important elements:
 
 * **Inventory** : Endpoints known from the OpenAPI Spec file
@@ -32,6 +37,24 @@ You can filter on ``Shadow`` only to show the ``/colors`` endpoint as a Shadow A
    :align: left
    :scale: 50%
 
+
+Discovery Source and Schema Status
+**********************************
+
+The ``Discovery Source`` tells you from which source each EndPoint has been discovered
+
+* Traffic: discovered thanks to traffic passing through XC (real traffic)
+* Code Analysis: discovered by scanning the source code into the repositories
+
+The ``Schema status`` tells you if this Endpoint is part of the OpenAPI specification file
+
+.. image:: ../pictures/code-base-table.png
+   :align: left
+   :scale: 50%
+
+.. note:: These 2 columns are very important. First of all, this shows if the Endpoint is part of the source code. Then, it shows if this Endpoint is exposed (traffic) and also part of the OpenAPI specification file. The best outcome is when an Endpoint is part of Code Base and Traffic discovery and also in OpenAPI Spec file.
+
+
 Go deeper into the discovery
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
@@ -49,8 +72,8 @@ Go deeper into the discovery
    :scale: 50%
 
 
-PII Discovery
--------------
+Sensitive Data Discovery
+------------------------
 
 * Click on the ``/animals`` API endpoint. A pop-up will appear on the right side of the screen.
 
@@ -108,4 +131,49 @@ AI/ML Security Posture
 
 * Click on the ``Evidence`` link to get more details about the logs who generated this security posture.
 
-.. note:: Congratulation, your application is now protected by a modern engine enforcing (validating) what is provided by the developers, but also providing visibility for unkown traffic.
+.. note:: Congratulation, your application is now protected by a modern engine enforcing (validating) what is provided by the developers, but also providing visibility for unkown traffic.
+
+Compliance
+----------
+
+The last information provided by F5XC is the ``compliance``. In lab ``Enable API traffic discovery`` we created 2 custom Sensitive Data (called Data Type)
+
+* The ``French Social Security Number``
+* The ``French Phone Number``
+
+To each, we assigned a compliance ``GDPR``. But the F5XC platform has +400 data types into its database. Each data type has one or more compliance assigned.
+For instance, the ``payment-details`` data type is defined as below. You can find it into API Management > Data Types
+
+.. code-block:: json
+   :emphasize-lines: 24, 25
+
+   "get_spec": {
+    "rules": [
+      {
+        "key_pattern": {
+          "exact_values": {
+            "exact_values": [
+              "payment_method",
+              "pay_method",
+              "payment_type",
+              "payment_option",
+              "payment_mode",
+              "payType",
+              "payment_source",
+              "pay_method_type",
+              "payment_service",
+              "payment_system"
+            ]
+          }
+        }
+      }
+    ],
+    "is_sensitive_data": true,
+    "is_pii": false,
+    "compliances": [
+      "PCI_DSS"
+    ],
+
+This data type has the PCI-DSS compliance assigned. It means, if such pattern is seen in the request or in the response for an API Endpoint, F5XC dashboard will categorize this endpoint as PCI-DSS compliance.
+
+.. note:: This compliance is an ``information`` not an ``enforcement``. It shows to SecOps, for each Endpoint, the compliance to apply based on the sensitive datas detected. In our exmaple, the company must rely to PCI-DSS in order to be compliant as a sensitive data belonging to PCI-DSS has been discovered.