diff --git a/.gitignore b/.gitignore index 306eec3..584d17f 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,5 @@ /docs/_build/* #!/docs/_build/html/ #/docs/_build/html/* -#!/docs/_build/html/assets/ \ No newline at end of file +#!/docs/_build/html/assets/ +docs/__pycache__/custom_roles.cpython-311.pyc diff --git a/docs/__pycache__/custom_roles.cpython-311.pyc b/docs/__pycache__/custom_roles.cpython-311.pyc index c840a71..bb0f281 100644 Binary files a/docs/__pycache__/custom_roles.cpython-311.pyc and b/docs/__pycache__/custom_roles.cpython-311.pyc differ diff --git a/docs/class4/.DS_Store b/docs/class4/.DS_Store index 3251478..3813312 100644 Binary files a/docs/class4/.DS_Store and b/docs/class4/.DS_Store differ diff --git a/docs/class4/class4.rst b/docs/class4/class4.rst index 1e3a2af..b76d7e9 100644 --- a/docs/class4/class4.rst +++ b/docs/class4/class4.rst @@ -12,9 +12,6 @@ Lab Maintainers: | - -.. note:: For the TechXchange 2024 - Please use this `Teams chat `_ if you have any issues, questions or feedback for the XC API security lab - * Please start this `UDF `_ to get an invite via F5 email to reset your password for the "f5-emea-workshop" tenant. * You are going to run a script to generate traffic at the end of “Class 4 - Dynamic API Protection – Enable API discovery” and it can take up to 2 hours maximum to see all results in the Dashboard for the following “API Discovery outcomes” lab section. There is also a note about this in the specific lab section, maybe you combine it with a break 😉. * Please make sure you complete the XC API Security Lab before the UDF shuts down because your XC account and configuration will be removed automatically when the UDF deployment stops. diff --git a/docs/class4/module2/.DS_Store b/docs/class4/module2/.DS_Store index 8dd72c4..666e0d6 100644 Binary files a/docs/class4/module2/.DS_Store and b/docs/class4/module2/.DS_Store differ diff --git a/docs/class4/module2/lab1/lab1.rst b/docs/class4/module2/lab1/lab1.rst index b09e0c2..53e62dc 100644 --- a/docs/class4/module2/lab1/lab1.rst +++ b/docs/class4/module2/lab1/lab1.rst @@ -1,4 +1,4 @@ -Enable API Validation +Enable API validation ===================== In the previous section, we enabled API Protection. API Protection is based on rules (allow, deny), but API Validation goes deeper into the validation. diff --git a/docs/class4/module2/lab2/lab2.rst b/docs/class4/module2/lab2/lab2.rst index 1de1fa4..a3a76ce 100644 --- a/docs/class4/module2/lab2/lab2.rst +++ b/docs/class4/module2/lab2/lab2.rst @@ -1,79 +1,72 @@ -Enable API discovery -==================== +Enable API code scanning discovery (under construction) +======================================================= -In the previous section, we enabled ``API Validation`` in order to enforce protection on ``what we know`` from the OpenAPI Spec file. -But we kept the ``Fall Through Mode`` to ``Allow`` so that we do not break the application or impact business down when DevOps push a new version of the API, but SecOps are not ready or up to date. +F5 solutions can detect and protect APIs during the full API develoment lifecycle which includes also to learn API endpoints and further information to e.g. build the schema from the source code the developers create and maintain on the code repository. -The ``API Discovery`` will provide visility for SecOps in order to see this ``Drift``. This Drift is the difference between ``what we know`` and ``what we see / what is consumed`` +We use the "Sentence application" source code for this lab: https://github.com/ca-scans/sentence-source-code-v2 -.. image:: ../pictures/slide-api-discovery.png - :align: center - :scale: 40% -Enable Endpoint Discovery -------------------------- +.. note:: There is also a video and a FAQ available for F5 employees -* Edit your Load Balancer again, go to API Protection and enable ``API Discovery`` (keep the default settings) + * FAQ - XC API code scan `FAQ `_ + * Video – API discovery from `code `_ -.. image:: ../pictures/enable-api-discovery.png - :align: left - :scale: 40% +| -Enable PII Discovery --------------------- +Enable Code Base Integration +---------------------------- -OWASP Top10 API requires to detect and discover sensitive datas in Requests and Responses. F5 Distributed Cloud supports this and provides a predefined list of known PII (Personal Identifiable Information), such as: +* Goto Web App & API Protection > API Management > Code Base Ingration +* Add a new "Code Base Integration" with the following values -* email -* credit card number -* US Social Security Number -* IP address + * Name: ``github-sentence`` + * Code base: ``Github Integration`` + * Github UserName: ``please check the "internal" tab in the UDF deployment for the username`` + * GitHub Personal Access Token: ``please check the "internal" tab in the UDF deployment for the token`` -But you want to detect your own PII, such as: + +.. image:: ../pictures/code-base-integration-username.png + :align: left -* Country Social Security Number -* Mobile Phone Number -* Etc ... +| -Create custom PII -^^^^^^^^^^^^^^^^^ +* Click on Configure under "GitHub Personal Access Token" to enter the token into "Secret to Blindfold". -* In Sensitive Data Detection, click on ``configure``. -* Add two new ``Defined Custom Sensitive Data Types``, enable detection for ``All Endpoint, Request and Response, Value Pattern`` +.. image:: ../pictures/code-base-integration-token-blindfold.png + :align: left - * For France/French SSN, use this regex ``[12][0-9]{2}(0[1-9]|1[0-2])(2[AB]|[0-9]{2})[0-9]{3}[0-9]{3}([0-9]{2})`` - - * For France/French Mobile Phone, use this regex ``^(?:(?:\+|00)33|0)\s*[1-9](?:[\s.-]*\d{2}){4}$`` -.. image:: ../pictures/pii.png +* Click Apply and Save and Exit +* Go to settings and change it as shown in the screenshot below to display further information. The Health status should change from "INITIALIZING" to "CONNECTED". + +.. image:: ../pictures/code-base-integration-initializing-and-show-settings.png :align: left - :scale: 50% | -.. image:: ../pictures/pii2.png - :align: left - :scale: 50% -| +* XC is going to scan the code, so give it some time until you see further updates on e.g. the "Number of API Repositories" -.. image:: ../pictures/pii-both.png +.. image:: ../pictures/code-base-integration-connected.png :align: left - :scale: 50% -| -* SAVE your Load Balancer changes +| +Assign the Code Base Integration to the Load Balancer +----------------------------------------------------- -Run the traffic generator script --------------------------------- +* Edit your Load Balancer, go to the API Protection and enable API Discovery (keep the default settings) -It is time to run a traffic generator script to populate the logs and the AI/ML engines. -* SSH or WEBSSH to the Jumphost -* Run this script into /home/ubuntu/api-protection-lab folder +.. image:: ../pictures/API-discovery-enable.png + :align: left -.. code-block:: none +1. In the same configuration screen, look for API repositories and click on Configure +2. In "Select Code Base Integrations" click on "Add Item" +3. Select the previously created Code Base "github-sentence" +4. Select "Selected API Repositories" +5. Select ca-scans/sentence-source-code-v2 - cd /home/ubuntu/api-protection-lab - bash api-all.sh sentence-re-$$makeId$$.workshop.emea.f5se.com +.. image:: ../pictures/select-api-repo-code.png + :align: left +Select Apply twice and Save and Exit \ No newline at end of file diff --git a/docs/class4/module2/lab3/lab3.rst b/docs/class4/module2/lab3/lab3.rst index ac80210..32b6ba3 100644 --- a/docs/class4/module2/lab3/lab3.rst +++ b/docs/class4/module2/lab3/lab3.rst @@ -1,111 +1,105 @@ -API Discovery outcomes -====================== +Enable API traffic discovery +============================ -.. note:: The "discovery" scheduler runs on a random interval within a two hours time window and therefore it can take up to 2 hours (maximum) to see all results in the Dashboard for the "API Discovery outcomes" lab section. You can also continue with the next lab "Advanced Protection - "JWT validation and access control" (module 3) and continue here later. +In the previous section, we enabled ``API Validation`` in order to enforce protection on ``what we know`` from the OpenAPI Spec file. +But we kept the ``Fall Through Mode`` to ``Allow`` so that we do not break the application or impact business down when DevOps push a new version of the API, but SecOps are not ready or up to date. -Endpoint Discovery ------------------- +The ``API Discovery`` will provide visility for SecOps in order to see this ``Drift``. This Drift is the difference between ``what we know`` and ``what we see / what is consumed`` -* Goto Web App & API Protection > Overview > Security > Dashboard -* Click on your Application Load Balancer -* Click on ``API Endpoints`` to see the endpoints in the the "Table" view. +.. image:: ../pictures/slide-api-discovery.png + :align: center + :scale: 40% -.. image:: ../pictures/api-endpoints-table.png - :align: left - :scale: 50% - -Understand the API Discovery elements -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -On the top left corner, there are 3 important elements: - -* **Inventory** : Endpoints known from the OpenAPI Spec file - - * In our lab, there are 3 endpoints know (adjectives, animals, locations) +But OWASP Top10 requires also to provide visibility on PII (Personal Identifiable Information) in order to avoid Data Leakage. To do so, we will enable ``Sensitive Data Disvovery`` -* **Discovered** : Endpoints that the XC platform has discovered/learned from live traffic (known and unknown endpoints) -* **Shadow** : Endpoints that have been ``Discovered`` but are **NOT PART** of the ``Inventory`` +Enable API Endpoint Discovery +----------------------------- -You can filter on ``Shadow`` only to show the ``/colors`` endpoint as a Shadow API. +* If you skipped the lab2 "Enable Code Scanning Discovery, edit your Load Balancer again, go to API Protection and enable ``API Discovery`` (keep the default settings) -.. image:: ../pictures/shadow.png +.. image:: ../pictures/enable-traffic-discovery.png :align: left - :scale: 50% + :scale: 40% -Go deeper into the discovery -^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Enable Sensitive Data Discovery +------------------------------- -* Click on the ``/colors`` shadow API endpoint. A pop-up will appear on the right side of the screen. -* You can see on the top right corner, 2 actions +OWASP Top10 API requires to detect and discover sensitive datas in Requests and Responses. F5 Distributed Cloud supports this and provides a predefined list (+400) of known PII (Personal Identifiable Information), such as: - * **API Protection rule** : if you want to block this endpoint. Let's say SecOps have this power to block unknown endpoints. +* email +* credit card number +* US Social Security Number +* IP address - * **Rate Limiting** : if you want to Rate Limit this endpoint because SecOps don't have the full power and don't want to break the app. +.. note:: By default, a list is already assigned to the Load Balancer -* Click on the ``Discovered`` tab and navigate into the sub-menus. You will see all the details discovered by the platform. + .. image:: ../pictures/default-pii-setting.png + :align: left + :scale: 50% -.. image:: ../pictures/discovered.png - :align: left - :scale: 50% +But if you want to detect your own PII, such as: -PII Discovery -------------- +* Country Social Security Number +* Mobile Phone Number +* Etc ... -* Click on the ``/animals`` API endpoint. A pop-up will appear on the right side of the screen. +You must create your own patterns. - .. image:: ../pictures/pii-1.png - :align: left - :scale: 50% +Create custom Sensitive Data Discovery +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -* Click on the ``Discovered`` tab to show discovered sensitive data for requests and responses. +* In Sensitive Data Discovery, select ``Custom`` +* Add a new item - .. image:: ../pictures/pii-2.png - :align: left - :scale: 50% + * Give a name: custom-frenchies + * Select the Compliance Frameworks required for this API Application. We select ``PCI-DSS`` ``GDPR`` -.. warning:: Dataguard can obfuscate sensitive PII data in the response but currently not for custom created PII configurations. This feature is in the roadmap. OWASP Top 10 does not require to ``hide`` sensitive data. +.. note:: By selecting PCI-DSS and GDPR, all data patterns classified as PCI-DSS and GDPR will be added. +* But now, we want to add custom patterns to detect frenchy sensitive datas +* Configure ``Defined Custom Sensitive Data Types``, and add 2 items -Click on the ``Graph`` tab to show the API endpoints in a different view. + * Name: ``france-ssn`` + + * Data Type Rules: + + * Value Pattern + * Regex Value : ``[12][0-9]{2}(0[1-9]|1[0-2])(2[AB]|[0-9]{2})[0-9]{3}[0-9]{3}([0-9]{2})`` -.. image:: ../pictures/octopus.png - :align: left - :scale: 50% + * Mark as Sensitive Data + * Mark as PII + * Relevant Compliance: ``GDPR`` - -Authentication Discovery ------------------------- + .. image:: ../pictures/pii-ssn.png + :align: left + :scale: 50% -* Click on an endpoint with an ``Authenticated`` state, like **/api/locations** - .. image:: ../pictures/authenticated-endpoint.png - :align: left - :scale: 50% + * Name: ``france-mobile-phone`` + + * Data Type Rules: + + * Value Pattern + * Regex Value : ``^(?:(?:\+|00)33|0)\s*[1-9](?:[\s.-]*\d{2}){4}$`` -* Click on ``Discovered`` tab and check the Authentication details + * Mark as Sensitive Data + * Mark as PII + * Relevant Compliance: ``GDPR`` - .. image:: ../pictures/auth-discovery-new.png - :align: left - :scale: 50% +* Apply and Save your LB config -* Notice that the auth information collected from the OpenAPI Spec file differs from the discovered auth information. If both don't match, a "Security Posture" is raised. - .. image:: ../pictures/basic-auth.png - :align: left - :scale: 50% +Run the traffic generator script +-------------------------------- -AI/ML Security Posture ----------------------- +It is time to run a traffic generator script to populate the logs and the AI/ML engines. -* Click on an endpoint with the highest ``Risk Score`` -* And click on the ``Security Posture`` tab -* Review the recommandations done by the AI/ML engine +* SSH or WEBSSH to the Jumphost +* Run this script into /home/ubuntu/api-protection-lab folder -.. image:: ../pictures/security-posture.png - :align: left - :scale: 50% +.. code-block:: none -* Click on the ``Evidence`` link to get more details about the logs who generated this security posture. + cd /home/ubuntu/api-protection-lab + bash api-all.sh sentence-re-$$makeId$$.workshop.emea.f5se.com -.. note:: Congratulation, your application is now protected by a modern engine enforcing (validating) what is provided by the developers, but also providing visibility for unkown traffic. \ No newline at end of file diff --git a/docs/class4/module2/lab4/lab4.rst b/docs/class4/module2/lab4/lab4.rst index 02ae172..81973d9 100644 --- a/docs/class4/module2/lab4/lab4.rst +++ b/docs/class4/module2/lab4/lab4.rst @@ -1,78 +1,4 @@ -API Inventory Management -======================== - -API Inventory Management is a feature designed to enhance your API ecosystem by simplifying the management of your API inventory. - -It allows easy management of discovered APIs, marking of non-API discoveries, removal of outdated endpoints, and seamless updates for API schemas. -This tool keeps your API inventory organized, current, and secure, catering to your dynamic requirements. - -Add Shadow API into the Inventory ---------------------------------- - -In the previous lab, we discoverd /api/colors as a ``shadow API``. DevOps already opened a ServiceNow ticket with SecOps to provide the new OpenAPI Spec file including /colors. -But SecOps are late in their ticketing queue, and they haven't seen this ticket yet but they must take a decision about this endpoint. - -SecOps can block the request with an API Protection rule. We covered how to create it in the ``Static API Protection`` lab. FYI, there is a shortcut directly into the API EndPoint screen as shown in the screenshot below. -**Don't block it now, it is a legitimate endpoint.** - -.. image:: ../pictures/protection-rule-colors.png - :align: left - :scale: 50% - - - -We will not block it, SecOps had the information from a side channel this endpoint is part of the application update from yesterday night. - -We need to add this endpoint into the inventory (the OpenAPI Spec), but we will not update the Spec File as the source of truth are the DevOps. Instead, we will add the endpoint into the ``Inclusion List``. - -.. note:: Inventory = OpenAPI File + Inclusion List - -| - -Add the /api/colors shadow API endpoint to the Inventory (inclusion list) -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -* Click on the three dots (...) at the right of the **/api/colors** endpoint to open the actions menu - -* Click on ``Move to Inventory`` - - .. image:: ../pictures/move-to-inventory.png - :align: left - :scale: 50% - -* A warning message will confirm the add - - .. image:: ../pictures/warning-inventory.png - :align: left - :scale: 50% - -* Click ``Move to Inventory`` - -* Now, you can see ``/api/colors`` is not a Shadow API anymore. It is part of Inventory. - - .. image:: ../pictures/moved-inventory.png - :align: left - :scale: 50% - -How to find all endpoints added into the Inventory (Inclusion List) ? -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -As mentioned before, API endpoints are not added into the OAS Spec file because this file is maintenained by AppDev/DevOps. Instead, we create an ``Inventory Inclusion List`` - -* Go to API Management > Edit your API Definition - -* You can see an API Inventory Inclusion List - - .. image:: ../pictures/oas-inclusion-list.png - :align: left - :scale: 50% - -* Click on ``Edit Configuration`` to see the content - - .. image:: ../pictures/inclusion-list.png - :align: left - :scale: 50% - -.. note:: When AppDev/DevOps will push a new version of the OpenAPI Spec file to F5 XC, a new version of the file will be available for the SecOps. SecOps will update the definition with this new file (let's say v2) - If this version includes ``/api/colors``, the entry into the Inventory Inclusion List will not be taken into account. The OAS Spec file specified on F5 XC takes precedence over Inventory Inclusion List. +Enable API on-premises discovery (under construction) +====================================================== +Please come back later :) \ No newline at end of file diff --git a/docs/class4/module2/lab5/lab5.rst b/docs/class4/module2/lab5/lab5.rst new file mode 100644 index 0000000..a0d1661 --- /dev/null +++ b/docs/class4/module2/lab5/lab5.rst @@ -0,0 +1,179 @@ +API Discovery outcomes +====================== + +.. note:: The "traffic discovery" scheduler runs on a random interval within a two hours time window and therefore it can take up to 2 hours (maximum) to see all results in the Dashboard for the "API Discovery outcomes" lab section. You can also continue with the next lab "Advanced Protection - "JWT validation and access control" (module 3) and continue here later. + +.. note:: The "code base repo discovery" is done once a day + +Endpoint Discovery +------------------ + +* Goto Web App & API Protection > Overview > Security > Dashboard +* Click on your Application Load Balancer +* Click on ``API Endpoints`` to see the endpoints in the the "Table" view. + +.. image:: ../pictures/api-endpoints-table.png + :align: left + :scale: 50% + +Understand the API Discovery elements +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +API Category +************ + +On the top left corner, there are 3 important elements: + +* **Inventory** : Endpoints known from the OpenAPI Spec file + + * In our lab, there are 3 endpoints know (adjectives, animals, locations) + +* **Discovered** : Endpoints that the XC platform has discovered/learned from live traffic (known and unknown endpoints) +* **Shadow** : Endpoints that have been ``Discovered`` but are **NOT PART** of the ``Inventory`` + +You can filter on ``Shadow`` only to show the ``/colors`` endpoint as a Shadow API. + +.. image:: ../pictures/shadow.png + :align: left + :scale: 50% + + +Discovery Source and Schema Status +********************************** + +The ``Discovery Source`` tells you from which source each EndPoint has been discovered + +* Traffic: discovered thanks to traffic passing through XC (real traffic) +* Code Analysis: discovered by scanning the source code into the repositories + +The ``Schema status`` tells you if this Endpoint is part of the OpenAPI specification file + +.. image:: ../pictures/code-base-table.png + :align: left + :scale: 50% + +.. note:: These 2 columns are very important. First of all, this shows if the Endpoint is part of the source code. Then, it shows if this Endpoint is exposed (traffic) and also part of the OpenAPI specification file. The best outcome is when an Endpoint is part of Code Base and Traffic discovery and also in OpenAPI Spec file. + + +Go deeper into the discovery +^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Click on the ``/colors`` shadow API endpoint. A pop-up will appear on the right side of the screen. +* You can see on the top right corner, 2 actions + + * **API Protection rule** : if you want to block this endpoint. Let's say SecOps have this power to block unknown endpoints. + + * **Rate Limiting** : if you want to Rate Limit this endpoint because SecOps don't have the full power and don't want to break the app. + +* Click on the ``Discovered`` tab and navigate into the sub-menus. You will see all the details discovered by the platform. + +.. image:: ../pictures/discovered.png + :align: left + :scale: 50% + + +Sensitive Data Discovery +------------------------ + +* Click on the ``/animals`` API endpoint. A pop-up will appear on the right side of the screen. + + .. image:: ../pictures/pii-1.png + :align: left + :scale: 50% + +* Click on the ``Discovered`` tab to show discovered sensitive data for requests and responses. + + .. image:: ../pictures/pii-2.png + :align: left + :scale: 50% + +.. warning:: Dataguard can obfuscate sensitive PII data in the response but currently not for custom created PII configurations. This feature is in the roadmap. OWASP Top 10 does not require to ``hide`` sensitive data. + + +Click on the ``Graph`` tab to show the API endpoints in a different view. + +.. image:: ../pictures/octopus.png + :align: left + :scale: 50% + + +Authentication Discovery +------------------------ + +* Click on an endpoint with an ``Authenticated`` state, like **/api/locations** + + .. image:: ../pictures/authenticated-endpoint.png + :align: left + :scale: 50% + +* Click on ``Discovered`` tab and check the Authentication details + + .. image:: ../pictures/auth-discovery-new.png + :align: left + :scale: 50% + +* Notice that the auth information collected from the OpenAPI Spec file differs from the discovered auth information. If both don't match, a "Security Posture" is raised. + + .. image:: ../pictures/basic-auth.png + :align: left + :scale: 50% + +AI/ML Security Posture +---------------------- + +* Click on an endpoint with the highest ``Risk Score`` +* And click on the ``Security Posture`` tab +* Review the recommandations done by the AI/ML engine + +.. image:: ../pictures/security-posture.png + :align: left + :scale: 50% + +* Click on the ``Evidence`` link to get more details about the logs who generated this security posture. + +.. note:: Congratulation, your application is now protected by a modern engine enforcing (validating) what is provided by the developers, but also providing visibility for unkown traffic. + +Compliance +---------- + +The last information provided by F5XC is the ``compliance``. In lab ``Enable API traffic discovery`` we created 2 custom Sensitive Data (called Data Type) + +* The ``French Social Security Number`` +* The ``French Phone Number`` + +To each, we assigned a compliance ``GDPR``. But the F5XC platform has +400 data types into its database. Each data type has one or more compliance assigned. +For instance, the ``payment-details`` data type is defined as below. You can find it into API Management > Data Types + +.. code-block:: json + :emphasize-lines: 24, 25 + + "get_spec": { + "rules": [ + { + "key_pattern": { + "exact_values": { + "exact_values": [ + "payment_method", + "pay_method", + "payment_type", + "payment_option", + "payment_mode", + "payType", + "payment_source", + "pay_method_type", + "payment_service", + "payment_system" + ] + } + } + } + ], + "is_sensitive_data": true, + "is_pii": false, + "compliances": [ + "PCI_DSS" + ], + +This data type has the PCI-DSS compliance assigned. It means, if such pattern is seen in the request or in the response for an API Endpoint, F5XC dashboard will categorize this endpoint as PCI-DSS compliance. + +.. note:: This compliance is an ``information`` not an ``enforcement``. It shows to SecOps, for each Endpoint, the compliance to apply based on the sensitive datas detected. In our exmaple, the company must rely to PCI-DSS in order to be compliant as a sensitive data belonging to PCI-DSS has been discovered. \ No newline at end of file diff --git a/docs/class4/module2/lab6/lab6.rst b/docs/class4/module2/lab6/lab6.rst new file mode 100644 index 0000000..02ae172 --- /dev/null +++ b/docs/class4/module2/lab6/lab6.rst @@ -0,0 +1,78 @@ +API Inventory Management +======================== + +API Inventory Management is a feature designed to enhance your API ecosystem by simplifying the management of your API inventory. + +It allows easy management of discovered APIs, marking of non-API discoveries, removal of outdated endpoints, and seamless updates for API schemas. +This tool keeps your API inventory organized, current, and secure, catering to your dynamic requirements. + +Add Shadow API into the Inventory +--------------------------------- + +In the previous lab, we discoverd /api/colors as a ``shadow API``. DevOps already opened a ServiceNow ticket with SecOps to provide the new OpenAPI Spec file including /colors. +But SecOps are late in their ticketing queue, and they haven't seen this ticket yet but they must take a decision about this endpoint. + +SecOps can block the request with an API Protection rule. We covered how to create it in the ``Static API Protection`` lab. FYI, there is a shortcut directly into the API EndPoint screen as shown in the screenshot below. +**Don't block it now, it is a legitimate endpoint.** + +.. image:: ../pictures/protection-rule-colors.png + :align: left + :scale: 50% + + + +We will not block it, SecOps had the information from a side channel this endpoint is part of the application update from yesterday night. + +We need to add this endpoint into the inventory (the OpenAPI Spec), but we will not update the Spec File as the source of truth are the DevOps. Instead, we will add the endpoint into the ``Inclusion List``. + +.. note:: Inventory = OpenAPI File + Inclusion List + +| + +Add the /api/colors shadow API endpoint to the Inventory (inclusion list) +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Click on the three dots (...) at the right of the **/api/colors** endpoint to open the actions menu + +* Click on ``Move to Inventory`` + + .. image:: ../pictures/move-to-inventory.png + :align: left + :scale: 50% + +* A warning message will confirm the add + + .. image:: ../pictures/warning-inventory.png + :align: left + :scale: 50% + +* Click ``Move to Inventory`` + +* Now, you can see ``/api/colors`` is not a Shadow API anymore. It is part of Inventory. + + .. image:: ../pictures/moved-inventory.png + :align: left + :scale: 50% + +How to find all endpoints added into the Inventory (Inclusion List) ? +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +As mentioned before, API endpoints are not added into the OAS Spec file because this file is maintenained by AppDev/DevOps. Instead, we create an ``Inventory Inclusion List`` + +* Go to API Management > Edit your API Definition + +* You can see an API Inventory Inclusion List + + .. image:: ../pictures/oas-inclusion-list.png + :align: left + :scale: 50% + +* Click on ``Edit Configuration`` to see the content + + .. image:: ../pictures/inclusion-list.png + :align: left + :scale: 50% + +.. note:: When AppDev/DevOps will push a new version of the OpenAPI Spec file to F5 XC, a new version of the file will be available for the SecOps. SecOps will update the definition with this new file (let's say v2) + If this version includes ``/api/colors``, the entry into the Inventory Inclusion List will not be taken into account. The OAS Spec file specified on F5 XC takes precedence over Inventory Inclusion List. + diff --git a/docs/class4/module2/module2.rst b/docs/class4/module2/module2.rst index 13c5e25..659659a 100644 --- a/docs/class4/module2/module2.rst +++ b/docs/class4/module2/module2.rst @@ -3,6 +3,11 @@ Dynamic API Protection In this section, we will protect the same modern application with F5 Distributed Cloud, but we will enable the **dynamic** protection where SecOps apply the API Discovery and Validation. +API Discovery relies on 3 different engines in order to protect API during the full API Development Lifecycle + +* Code Base API discovery: we detect API endpoints from the code +* Crawler API Discovery (future release): we detect API endpoints from a crawler scanning all API endpoints +* Traffic API Discovery: we detect API endpoints from user traffic **Module 2 - All sections** diff --git a/docs/class4/module2/pictures/API-discovery-enable.png b/docs/class4/module2/pictures/API-discovery-enable.png new file mode 100644 index 0000000..f26c2fd Binary files /dev/null and b/docs/class4/module2/pictures/API-discovery-enable.png differ diff --git a/docs/class4/module2/pictures/Internal.png b/docs/class4/module2/pictures/Internal.png new file mode 100644 index 0000000..d9d0116 Binary files /dev/null and b/docs/class4/module2/pictures/Internal.png differ diff --git a/docs/class4/module2/pictures/api-endpoints-table.png b/docs/class4/module2/pictures/api-endpoints-table.png index 24c34a0..b545efd 100644 Binary files a/docs/class4/module2/pictures/api-endpoints-table.png and b/docs/class4/module2/pictures/api-endpoints-table.png differ diff --git a/docs/class4/module2/pictures/code-base-integration-connected.png b/docs/class4/module2/pictures/code-base-integration-connected.png new file mode 100644 index 0000000..34e09cd Binary files /dev/null and b/docs/class4/module2/pictures/code-base-integration-connected.png differ diff --git a/docs/class4/module2/pictures/code-base-integration-initializing-and-show-settings.png b/docs/class4/module2/pictures/code-base-integration-initializing-and-show-settings.png new file mode 100644 index 0000000..afe987b Binary files /dev/null and b/docs/class4/module2/pictures/code-base-integration-initializing-and-show-settings.png differ diff --git a/docs/class4/module2/pictures/code-base-integration-initializing.png b/docs/class4/module2/pictures/code-base-integration-initializing.png new file mode 100644 index 0000000..2665e95 Binary files /dev/null and b/docs/class4/module2/pictures/code-base-integration-initializing.png differ diff --git a/docs/class4/module2/pictures/code-base-integration-token-blindfold.png b/docs/class4/module2/pictures/code-base-integration-token-blindfold.png new file mode 100644 index 0000000..30e0cd8 Binary files /dev/null and b/docs/class4/module2/pictures/code-base-integration-token-blindfold.png differ diff --git a/docs/class4/module2/pictures/code-base-integration-username.png b/docs/class4/module2/pictures/code-base-integration-username.png new file mode 100644 index 0000000..de9755a Binary files /dev/null and b/docs/class4/module2/pictures/code-base-integration-username.png differ diff --git a/docs/class4/module2/pictures/code-base-table.png b/docs/class4/module2/pictures/code-base-table.png new file mode 100644 index 0000000..5933ab0 Binary files /dev/null and b/docs/class4/module2/pictures/code-base-table.png differ diff --git a/docs/class4/module2/pictures/code-based-repo.png b/docs/class4/module2/pictures/code-based-repo.png new file mode 100644 index 0000000..cdbbf53 Binary files /dev/null and b/docs/class4/module2/pictures/code-based-repo.png differ diff --git a/docs/class4/module2/pictures/create-custom-pii.png b/docs/class4/module2/pictures/create-custom-pii.png new file mode 100644 index 0000000..67bcfc9 Binary files /dev/null and b/docs/class4/module2/pictures/create-custom-pii.png differ diff --git a/docs/class4/module2/pictures/default-pii-setting.png b/docs/class4/module2/pictures/default-pii-setting.png new file mode 100644 index 0000000..878db40 Binary files /dev/null and b/docs/class4/module2/pictures/default-pii-setting.png differ diff --git a/docs/class4/module2/pictures/default-pii.png b/docs/class4/module2/pictures/default-pii.png new file mode 100644 index 0000000..03bbc9c Binary files /dev/null and b/docs/class4/module2/pictures/default-pii.png differ diff --git a/docs/class4/module2/pictures/enable-api-discovery.png b/docs/class4/module2/pictures/enable-api-discovery.png index 157f826..26ab050 100644 Binary files a/docs/class4/module2/pictures/enable-api-discovery.png and b/docs/class4/module2/pictures/enable-api-discovery.png differ diff --git a/docs/class4/module2/pictures/enable-traffic-discovery.png b/docs/class4/module2/pictures/enable-traffic-discovery.png new file mode 100644 index 0000000..7b7adbe Binary files /dev/null and b/docs/class4/module2/pictures/enable-traffic-discovery.png differ diff --git a/docs/class4/module2/pictures/pii-ssn.png b/docs/class4/module2/pictures/pii-ssn.png new file mode 100644 index 0000000..4133a27 Binary files /dev/null and b/docs/class4/module2/pictures/pii-ssn.png differ diff --git a/docs/class4/module2/pictures/select-api-repo-code.png b/docs/class4/module2/pictures/select-api-repo-code.png new file mode 100644 index 0000000..72044d9 Binary files /dev/null and b/docs/class4/module2/pictures/select-api-repo-code.png differ