top of page
Tech_BG.jpeg

Technology

open-appsec is powered by a fully automatic machine learning engine which continuously analyzes HTTP/S requests to Websites or APIs.

 

Incoming HTTP requests are evaluated against two machine learning models:

  • a supervised model that was trained off-line with millions of malicious and benign requests

  • a non-supervised model that is built in real-time in the protected environment and is specific to its traffic patterns

​

Contextual analysis includes the application structure and how users interact with the content, in order to automatically stop and block malicious requests and bad actors. See this video tutorial and white paper for a deep-dive into the technology.

​

open-appsec can be managed using declarative configuration files, Kubernetes Helm Charts and annotations and/or using SaaS Web Management.

​

Architecture

open-appsec is deployed either as add-on to standard NGINX reverse proxy/web-server or with a Kubernetes ingress controller, which implements regular ingress resources. It can also be deployed with a Kong API Gateway.


In Kubernetes deployments, the ingress controller is based on a reverse proxy (e.g. NGINX), which has a sidecar container attached to it to provide open-appsec's security inspection and enforcement capabilities.

​

This allows all traffic that arrives to be inspected. open-appsec engine learns how users normally interact with your web application. It then uses this information to automatically detect requests that fall outside of normal operations, and have those requests for further analysis to decide whether the request is malicious or not.

​

The traffic is then sent to the backend Web Application or Web API.

Machine Learning Engine Architecture

Agents

The open-appsec Agent is a small software component that can be easily deployed on top of an existing Web server, reverse proxy or a Kubernetes ingress controller (serving as reverse proxy) without changing the existing architecture and while ensuring minimal latency and maximum control.

 

You can also deploy an open-appsec Helm Chart that deploys a ready-to-use, NGINX-based Ingress Controller already integrated with the open-appsec Agent.

​

Agents include Attachment, HTTP Transaction Handler, Orchestrator and a Watchdog.

​

Attachment

​

The Attachment connects between processes that provide HTTP data and the open-appsec security logic. It is open technology and Check Point provides its open source code.

​​

HTTP Transaction Handler Nano-Service

​

A process (or multiple instances, depending on load) that gets data for processing from the Attachment, executes AppSec security logic, returns a verdict, and issues relevant logs.​

Open-appsec Agent

Orchestrator

​

A process in charge of agent registration, obtaining policy updates, software updates and other administrative operations.

​

Watchdog

​

A process in charge of making sure that all components are up and running.

Configuration Management

You can choose between two methods to manage open-appsec:

Declarative Configuration (Local)

​

  • Cloud-native configuration-as-code

  • Using Config files, Kubernetes YAMLs, CRDs and Annotations​​

  • For local-only Management

  • Logging to stdout or via Syslog

  • Prometheus/Grafana integration (Coming Soon)

​

​

 

 

 

Perfect for DevOps & CI/CD

WebUI-Based Configuration (SaaS)

​​

  • Easy-to-use WebUI for all configuration tasks

  • Management using software-as-a-service (SaaS)​

  • Simple wizard-based deployments

  • Log storage in the cloud

  • ​Central status monitoring for agents​​

  • Comprehensive events analysis capabilities and dashboards

  • Terraform Provider

  • GraphQL API​​​​

​​

​

​All the comfort of WebUI for configuration

Machine Learning

open-appsec uses a Contextual Machine Learning Engine that utilizes a three-phase approach for detecting and preventing Web application and API attacks.

​

Phase 1 - Parsing and Decoding the Payload (analyzing all fields of HTTP requests, base64 decoding...)

Phase 2 - Searching for Attack Indicators (patterns for exploiting vulnerabilities from various families)

Phase 3 - Determination of final verdict using Contextual Evaluation Engine (considering e.g. environment, user, URL, specific fields in weighted function for final confidence score)

 

It delivers accurate results with a very low number of false positives and protects the environment against known and unknown zero-day attacks with real-time protection.

Machine Learning Engine 3 phases

Machine learning is often a black-box which is difficult to understand and track. open-appsec uses gamification in order to demonstrate the learning progress so you can always know the learning level and what to do next.

bottom of page