open-appsec is powered by a fully automatic machine learning engine which continuously analyzes HTTP/S requests to Websites or APIs.
Incoming HTTP requests are evaluated against two machine learning models:
a supervised model that was trained off-line with millions of malicious and benign requests
a non-supervised model that is built in real-time in the protected environment and is specific to its traffic patterns
Contextual analysis includes the application structure and how users interact with the content, in order to automatically stop and block malicious requests and bad actors. See this video tutorial and white paper for a deep-dive into the technology.
open-appsec can be managed using declarative configuration files, Kubernetes Helm Charts and annotations and/or using SaaS Web Management.
open-appsec is deployed either as add-on to standard NGINX reverse proxy/web-server or with a Kubernetes ingress controller, which implements regular ingress resources. It can also be deployed with a Kong API Gateway.
In Kubernetes deployments, the ingress controller is based on a reverse proxy (e.g. NGINX), which has a sidecar container attached to it to provide open-appsec's security inspection and enforcement capabilities.
This allows all traffic that arrives to be inspected. open-appsec engine learns how users normally interact with your web application. It then uses this information to automatically detect requests that fall outside of normal operations, and have those requests for further analysis to decide whether the request is malicious or not.
The traffic is then sent to the backend Web Application or Web API.
The open-appsec Agent is a small software component that can be easily deployed on top of an existing Web server, reverse proxy or a Kubernetes ingress controller (serving as reverse proxy) without changing the existing architecture and while ensuring minimal latency and maximum control.
You can also deploy an open-appsec Helm Chart that deploys a ready-to-use, NGINX-based Ingress Controller already integrated with the open-appsec Agent.
Agents include Attachment, HTTP Transaction Handler, Orchestrator and a Watchdog.
The Attachment connects between processes that provide HTTP data and the open-appsec security logic. It is open technology and Check Point provides its open source code.
HTTP Transaction Handler Nano-Service
A process (or multiple instances, depending on load) that gets data for processing from the Attachment, executes AppSec security logic, returns a verdict, and issues relevant logs.
A process in charge of agent registration, obtaining policy updates, software updates and other administrative operations.
A process in charge of making sure that all components are up and running.
You can choose between two methods to manage open-appsec:
Declarative Configuration (Local)
Using Config files, Kubernetes YAMLs, CRDs and Annotations
For local-only Management
Logging to stdout or via Syslog
Prometheus/Grafana integration (Coming Soon)
Perfect for DevOps & CI/CD
WebUI-Based Configuration (SaaS)
Easy-to-use WebUI for all configuration tasks
Management using software-as-a-service (SaaS)
Simple wizard-based deployments
Log storage in the cloud
Central status monitoring for agents
Comprehensive events analysis capabilities and dashboards
All the comfort of WebUI for configuration
open-appsec uses a Contextual Machine Learning Engine that utilizes a three-phase approach for detecting and preventing Web application and API attacks.
Phase 1 - Parsing and Decoding the Payload (analyzing all fields of HTTP requests, base64 decoding...)
Phase 2 - Searching for Attack Indicators (patterns for exploiting vulnerabilities from various families)
Phase 3 - Determination of final verdict using Contextual Evaluation Engine (considering e.g. environment, user, URL, specific fields in weighted function for final confidence score)
It delivers accurate results with a very low number of false positives and protects the environment against known and unknown zero-day attacks with real-time protection.
Machine learning is often a black-box which is difficult to understand and track. open-appsec uses gamification in order to demonstrate the learning progress so you can always know the learning level and what to do next.