Protect Additional Assets
This page discusses how to add additional assets for protection.
- When logged in to the open-appsec portal, click on the Assets option in the top navigation menu.
- If you have not configured any assets yet, the portal will show the following and a New Asset option will be available. For creating a new Web Application asset, select New Asset->Web Application.
If you configured assets before, you can either click New Web Application or Clone Web Application.
Complete the following details:
- Name - choose a clear distinguishable name for your asset
- Tags (Optional) - can be used for searches.
- Profile - Select the profile you have created during the previous step - make sure to connect your deployed agents to the SaaS management, see here: Connect Deployed Agents to SaaS Management (K8s & Linux)
Step 3: Web Application/API details:
Add the URLs that users/clients will access to reach the application/API - configure at least one host address with optional non-standard port. open-appsec will protect these hosts. Make sure to also configure the correct port for policy enforcement if your NGINX is not using the defaults (port 80 for http and/or port 443 for https). Examples:
https://172.20.20.4:3000 (sets non-standard port 3000 for policy enforcement)
https://sales.acme.com:* (specifying * as port will enforce policy for all destination ports)
Note in case of open-appsec for Kong: Kong Gateway's default ports for inbound traffic for HTTP and HTTPS are 8000 and 8443. Make sure to specify those correctly in addition to protocol, hostname and path as described above so that the specified asset will successfully match the traffic to your Kong Gateway.
Define how the Machine Learning engine should distinguish between different API or human users.
Select the method by which different users will be distinguished from one another. The commonly used options are:
- X-Forwarded-For Header - When there is a Reverse Proxy or ALB between the Reverse Proxy the agent is running on, and the internet - the original source IP address cannot be seen on the networking level. This option allows the Nano-Agent to identify the original source IP inside the X-Forwarded-For header. No additional parameters are required in the common case where a single Reverse Proxy/ALB is found before the agent's deployment.
In the less common case, where there is more than 1 reverse proxy and/or ALB deployments before the open-appsec reverse proxy deployment, add the IP addresses of the previous hops, to allow the distinction between them and the original source address.
- Source IP Address - The Nano-Agent uses the source IP address as the identifier. No additional parameters are required.
More advanced methods are also available. These include:
- Cookie Key - when you select this option, you need to add the key name within the cookie whose value is used as the unique identifier of the original source.
- HTTP Header - when you select this option, you need to add the HTTP header name whose value is used as the unique identifier of the original source.
- JWT Key - Authenticated API calls send a JSON Web Token (JWT) received by authentication API. This JWT usually contains identifying field. When you select this option, the value of one of the JWT keys can be used as the unique identifier of the original source.
Define how the Machine Learning engine should distinguish the users that can be trusted.
You may define trusted sources that serve as a baseline for comparison for benign behavior, and how many Users/Addresses must exhibit similar activity for it to really be considered benign by the learning model.
The Web Application open-appsec protection is already configured and set to "Learn/Detect" mode. This is visible in the Threat Prevention tab showing the security practices configuration.
You do not need to make any changes as it is also recommended to start in "Learn/Detect" mode and move to prevent after the Machine Learning engine has reached a high enough learning level as explained here.
At the top of the portal near the right corner, there is an "Enforce" option. Click on it to publish the configuration settings to the already deployed agent.