open-appsec provides Enterprise grade SaaS management including ability to group changes and apply them together, ability for multiple admins to work in parallel with a sophisticated locking mechanism, audit-logs, undo/redo and other. Administration can be done using Web User Interface, GraphQL API or Infrastructure-as-code via Terraform.

Sessions

open-appsec management allows admins to make multiple changes, review them and then either Enforce them altogether or make them available to other administrators.

When an administrator logs-in and upon API authentication, a new session starts. The changes that the administrator makes during the session are only available to that administrator. Other administrators see a lock icon on object and rules that are being edited. The changes are saved automatically. There is no need to manually save.

Publish and Enforce

To make your changes available to other administrators, and to save the database before enforcing a policy, you must publish the session. When you publish a session, a new database version is created. You can do this by clicking Publish within the Quick Actions menu (top left corner, click on open-appsec logo). Before you publish the session, you can add some informative attributes to it.

When you click the Enforce button at the top right menu, you also are prompted to publish all unpublished changes in the current session. You cannot enforce a policy if the included changes in the session are not published. Unpublished changes from other sessions will not be included in the policy installation.

There is no need to save changes when working on a session. Changes are saved automatically. You can also log-out without publishing your changes from the session. You will see the changes next time you log in.

Discard

It is possible to discard all changes in a session, by clicking Discard in the Quick Actions menu.

Undo/Redo

It is possible to Undo/Redo any change until you publish a session by clicking Undo or Redo in the top right of the portal.

Audit Logs

The system creates automatically an audit log for any configuration change. The log contains the details of the change, administrator and time stamp.

You can view the Audit Logs in the Monitoring section.

Automation & APIs

open-appsec provides two automation methods: GraphQL API and Infrastructure-as-code using Terraform. Both allow to Create, Read, Update or Delete any object in the system.

Main Objects

To do any kind of automation it is important to understand the main objects in open-appsec and their relations. The root objects are always Assets. Assets can refer to other objects according to the following hierarchy:

• Asset - Web Application or Web API asset that you wish to protect.

• Asset Behaviors - Trusted Sources used by the Machine Learning Engine.

• Profile - defines shared settings of agents.

• Practices - Web Application Protection Practice or Web API Protection Practice.

  • Triggers - Logging settings.

  • Behaviors - Web User Response and Exceptions.

GraphQL API

open-appsec provides a collection of GraphQL APIs that allows to Authenticate, Create, Read, Update or Delete any object in the system as well as Publish or Enforce a set of changes.

GraphQL is a strongly typed API query language. It allows clients to define the structure of the data required, and exactly the same structure of the data is returned from the server. This avoids both the problems of over and under-fetching data, while also allowing for a powerful and flexible API.

See here more about about the API: (available soon)

Infrastructure-as-code using Terraform (Available soon)

Provisioning and managing infrastructure is a critical task in DevOps. To accomplish this, modern practices rely on Infrastructure as Code (IaC). By storing your infrastructure configuration in version control systems, you can standardize configuration across your organization, and simplify infrastructure updates.

The open-appsec Terraform provider allows configuration of all aspects of open-appsec using HCL Infrastructure as Code (IaC).

Terraform uses the concept of Providers to provide an open source feature-rich plugin system. Providers adopt specific conventions programmatically that allow them to express the CRUD lifecycle of individual resources and how to maintain and verify the state of existing deployed resources.